d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MFC r289446:

Browse Source 
Integrate tools/regression/acltools into the FreeBSD test suite as tests/sys/acl

- Make the requirements more complete for the testcases
- Detect prerequisites so the tests won't fail (zfs.ko is loaded, zpool(1)
  is available, ACL support is enabled with UFS, etc).
- Work with temporary files/directories/mountpoints that work with atf/kyua
- Limit the testcases to work on temporary filesystems to reduce tainting the
  test host

Reviewed by: trasz (earlier version)
Differential Revision: https://reviews.freebsd.org/D3810
This commit is contained in:
ngie 2015-11-16 00:37:00 +00:00
parent 252de13015
commit 8163bfef59
16 changed files with 3345 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
etc/mtree/BSD.tests.dist
View File

@ -188,6 +188,8 @@
..
..
sys
acl
..
aio
..
fifo

1
tests/sys/Makefile
View File

@ -4,6 +4,7 @@
TESTSDIR= ${TESTSBASE}/sys
TESTS_SUBDIRS+= acl
TESTS_SUBDIRS+= aio
TESTS_SUBDIRS+= fifo
TESTS_SUBDIRS+= file

88
tests/sys/acl/00.sh Normal file
View File

@ -0,0 +1,88 @@
#!/bin/sh
#
# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This is a wrapper script to run tools-posix.test on UFS filesystem.
#
# If any of the tests fails, here is how to debug it: go to
# the directory with problematic filesystem mounted on it,
# and do /path/to/test run /path/to/test tools-posix.test, e.g.
#
# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test
#
# Output should be obvious.
if [ $(sysctl -n kern.features.ufs_acl 2>/dev/null || echo 0) -eq 0 ]; then
echo "1..0 # SKIP system does not have UFS ACL support"
exit 0
fi
if [ $(id -u) -ne 0 ]; then
echo "1..0 # SKIP you must be root"
exit 0
fi
echo "1..4"
TESTDIR=$(dirname $(realpath $0))
# Set up the test filesystem.
MD=`mdconfig -at swap -s 10m`
MNT=`mktemp -dt acltools`
newfs /dev/$MD > /dev/null
trap "cd /; umount -f $MNT; rmdir $MNT; mdconfig -d -u $MD" EXIT
mount -o acls /dev/$MD $MNT
if [ $? -ne 0 ]; then
echo "not ok 1 - mount failed."
echo 'Bail out!'
exit 1
fi
echo "ok 1"
cd $MNT
# First, check whether we can crash the kernel by creating too many
# entries. For some reason this won't work in the test file.
touch xxx
i=0;
while :; do i=$(($i+1)); setfacl -m u:$i:rwx xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done
chmod 600 xxx
rm xxx
echo "ok 2"
perl $TESTDIR/run $TESTDIR/tools-posix.test > /dev/null
if [ $? -eq 0 ]; then
echo "ok 3"
else
echo "not ok 3"
fi
cd /
echo "ok 4"

87
tests/sys/acl/01.sh Normal file
View File

@ -0,0 +1,87 @@
#!/bin/sh
#
# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This is a wrapper script to run tools-nfs4.test on ZFS filesystem.
#
# WARNING: It uses hardcoded ZFS pool name "acltools"
#
# If any of the tests fails, here is how to debug it: go to
# the directory with problematic filesystem mounted on it,
# and do /path/to/test run /path/to/test tools-nfs4.test, e.g.
#
# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test
#
# Output should be obvious.
if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then
echo "1..0 # SKIP system doesn't have ZFS loaded"
exit 0
fi
if [ $(id -u) -ne 0 ]; then
echo "1..0 # SKIP you must be root"
exit 0
fi
echo "1..4"
TESTDIR=$(dirname $(realpath $0))
# Set up the test filesystem.
MD=`mdconfig -at swap -s 64m`
MNT=`mktemp -dt acltools`
trap "cd /; zpool destroy -f acltools; rmdir $MNT; mdconfig -d -u $MD" EXIT
zpool create -m $MNT acltools /dev/$MD
if [ $? -ne 0 ]; then
echo "not ok 1 - 'zpool create' failed."
echo 'Bail out!'
exit 1
fi
echo "ok 1"
cd $MNT
# First, check whether we can crash the kernel by creating too many
# entries. For some reason this won't work in the test file.
touch xxx
setfacl -x2 xxx
while :; do setfacl -a0 u:42:rwx:allow xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done
chmod 600 xxx
rm xxx
echo "ok 2"
perl $TESTDIR/run $TESTDIR/tools-nfs4-psarc.test > /dev/null
if [ $? -eq 0 ]; then
echo "ok 3"
else
echo "not ok 3"
fi
echo "ok 4"

93
tests/sys/acl/02.sh Normal file
View File

@ -0,0 +1,93 @@
#!/bin/sh
#
# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This is a wrapper script to run tools-nfs4.test on UFS filesystem.
#
# If any of the tests fails, here is how to debug it: go to
# the directory with problematic filesystem mounted on it,
# and do /path/to/test run /path/to/test tools-nfs4.test, e.g.
#
# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test
#
# Output should be obvious.
if [ $(sysctl -n kern.features.ufs_acl 2>/dev/null || echo 0) -eq 0 ]; then
echo "1..0 # SKIP system does not have UFS ACL support"
exit 0
fi
if [ $(id -u) -ne 0 ]; then
echo "1..0 # SKIP you must be root"
exit 0
fi
echo "1..4"
TESTDIR=$(dirname $(realpath $0))
# Set up the test filesystem.
MD=`mdconfig -at swap -s 10m`
MNT=`mktemp -dt acltools`
newfs /dev/$MD > /dev/null
trap "cd /; umount -f $MNT; rmdir $MNT; mdconfig -d -u $MD" EXIT
mount -o nfsv4acls /dev/$MD $MNT
if [ $? -ne 0 ]; then
echo "not ok 1 - mount failed."
echo 'Bail out!'
exit 1
fi
echo "ok 1"
cd $MNT
# First, check whether we can crash the kernel by creating too many
# entries. For some reason this won't work in the test file.
touch xxx
setfacl -x2 xxx
while :; do setfacl -a0 u:42:rwx:allow xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done
chmod 600 xxx
rm xxx
echo "ok 2"
if [ `sysctl -n vfs.acl_nfs4_old_semantics` = 0 ]; then
perl $TESTDIR/run $TESTDIR/tools-nfs4-psarc.test > /dev/null
else
perl $TESTDIR/run $TESTDIR/tools-nfs4.test > /dev/null
fi
if [ $? -eq 0 ]; then
echo "ok 3"
else
echo "not ok 3"
fi
cd /
echo "ok 4"

117
tests/sys/acl/03.sh Normal file
View File

@ -0,0 +1,117 @@
#!/bin/sh
#
# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This is a wrapper script to run tools-crossfs.test between UFS without
# ACLs, UFS with POSIX.1e ACLs, and ZFS with NFSv4 ACLs.
#
# WARNING: It uses hardcoded ZFS pool name "acltools"
#
# Output should be obvious.
if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then
echo "1..0 # SKIP system doesn't have ZFS loaded"
exit 0
fi
if [ $(id -u) -ne 0 ]; then
echo "1..0 # SKIP you must be root"
exit 0
fi
echo "1..5"
TESTDIR=$(dirname $(realpath $0))
MNTROOT=`mktemp -dt acltools`
# Set up the test filesystems.
MD1=`mdconfig -at swap -s 64m`
MNT1=$MNTROOT/nfs4
mkdir $MNT1
zpool create -m $MNT1 acltools /dev/$MD1
if [ $? -ne 0 ]; then
echo "not ok 1 - 'zpool create' failed."
echo 'Bail out!'
exit 1
fi
echo "ok 1"
MD2=`mdconfig -at swap -s 10m`
MNT2=$MNTROOT/posix
mkdir $MNT2
newfs /dev/$MD2 > /dev/null
mount -o acls /dev/$MD2 $MNT2
if [ $? -ne 0 ]; then
echo "not ok 2 - mount failed."
echo 'Bail out!'
exit 1
fi
echo "ok 2"
MD3=`mdconfig -at swap -s 10m`
MNT3=$MNTROOT/none
mkdir $MNT3
newfs /dev/$MD3 > /dev/null
mount /dev/$MD3 $MNT3
if [ $? -ne 0 ]; then
echo "not ok 3 - mount failed."
echo 'Bail out!'
exit 1
fi
echo "ok 3"
cd $MNTROOT
perl $TESTDIR/run $TESTDIR/tools-crossfs.test > /dev/null
if [ $? -eq 0 ]; then
echo "ok 4"
else
echo "not ok 4"
fi
cd /
umount -f $MNT3
rmdir $MNT3
mdconfig -du $MD3
umount -f $MNT2
rmdir $MNT2
mdconfig -du $MD2
zpool destroy -f acltools
rmdir $MNT1
mdconfig -du $MD1
rmdir $MNTROOT
echo "ok 5"

73
tests/sys/acl/04.sh Normal file
View File

@ -0,0 +1,73 @@
#!/bin/sh
#
# Copyright (c) 2011 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This is a wrapper script to run tools-nfs4-trivial.test on ZFS filesystem.
#
# WARNING: It uses hardcoded ZFS pool name "acltools"
if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then
echo "1..0 # SKIP system doesn't have ZFS loaded"
exit 0
fi
if [ $(id -u) -ne 0 ]; then
echo "1..0 # SKIP you must be root"
exit 0
fi
echo "1..3"
TESTDIR=$(dirname $(realpath $0))
# Set up the test filesystem.
MD=`mdconfig -at swap -s 64m`
MNT=`mktemp -dt acltools`
zpool create -m $MNT acltools /dev/$MD
if [ $? -ne 0 ]; then
echo "not ok 1 - 'zpool create' failed."
exit 1
fi
echo "ok 1"
cd $MNT
perl $TESTDIR/run $TESTDIR/tools-nfs4-trivial.test > /dev/null
if [ $? -eq 0 ]; then
echo "ok 2"
else
echo "not ok 2"
fi
cd /
zpool destroy -f acltools
rmdir $MNT
mdconfig -du $MD
echo "ok 3"

29
tests/sys/acl/Makefile Normal file
View File

@ -0,0 +1,29 @@
# $FreeBSD$
TESTSDIR= ${TESTSBASE}/sys/acl
BINDIR= ${TESTSDIR}
FILES+= tools-crossfs.test
FILES+= tools-nfs4.test
FILES+= tools-nfs4-psarc.test
FILES+= tools-nfs4-trivial.test
FILES+= tools-posix.test
SCRIPTS+= run
TAP_TESTS_SH+= 00
TAP_TESTS_SH+= 01
TAP_TESTS_SH+= 02
TAP_TESTS_SH+= 03
TAP_TESTS_SH+= 04
.for t in ${TAP_TESTS_SH}
TEST_METADATA.$t+= required_user="root"
.endfor
.for t in 01 03 04
TEST_METADATA.$t+= required_programs="/sbin/zpool"
.endfor
.include <bsd.test.mk>

225
tests/sys/acl/aclfuzzer.sh Executable file
View File

@ -0,0 +1,225 @@
#!/bin/sh
#
# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This is an NFSv4 ACL fuzzer. It expects to be run by non-root in a scratch
# directory on a filesystem with NFSv4 ACLs support. Output it generates
# is expected to be fed to /usr/src/tools/regression/acltools/run script.
NUMBER_OF_COMMANDS=300
run_command()
{
echo "\$ $1"
eval $1 2>&1 | sed 's/^/> /'
}
rnd_from_0_to()
{
max=`expr $1 + 1`
rnd=`jot -r 1`
rnd=`expr $rnd % $max`
echo $rnd
}
rnd_path()
{
rnd=`rnd_from_0_to 3`
case $rnd in
0) echo "$TMP/aaa" ;;
1) echo "$TMP/bbb" ;;
2) echo "$TMP/aaa/ccc" ;;
3) echo "$TMP/bbb/ddd" ;;
esac
}
f_prepend_random_acl_on()
{
rnd=`rnd_from_0_to 4`
case $rnd in
0) u="owner@" ;;
1) u="group@" ;;
2) u="everyone@" ;;
3) u="u:1138" ;;
4) u="g:1138" ;;
esac
p=""
while :; do
rnd=`rnd_from_0_to 30`
if [ -n "$p" -a $rnd -ge 14 ]; then
break;
fi
case $rnd in
0) p="${p}r" ;;
1) p="${p}w" ;;
2) p="${p}x" ;;
3) p="${p}p" ;;
4) p="${p}d" ;;
5) p="${p}D" ;;
6) p="${p}a" ;;
7) p="${p}A" ;;
8) p="${p}R" ;;
9) p="${p}W" ;;
10) p="${p}R" ;;
11) p="${p}c" ;;
12) p="${p}C" ;;
13) p="${p}o" ;;
14) p="${p}s" ;;
esac
done
f=""
while :; do
rnd=`rnd_from_0_to 10`
if [ $rnd -ge 6 ]; then
break;
fi
case $rnd in
0) f="${f}f" ;;
1) f="${f}d" ;;
2) f="${f}n" ;;
3) f="${f}i" ;;
esac
done
rnd=`rnd_from_0_to 1`
case $rnd in
0) x="allow" ;;
1) x="deny" ;;
esac
acl="$u:$p:$f:$x"
file=`rnd_path`
run_command "setfacl -a0 $acl $file"
}
f_getfacl()
{
file=`rnd_path`
run_command "getfacl -qn $file"
}
f_ls_mode()
{
file=`rnd_path`
run_command "ls -al $file | sed -n '2p' | cut -d' ' -f1"
}
f_chmod()
{
b1=`rnd_from_0_to 7`
b2=`rnd_from_0_to 7`
b3=`rnd_from_0_to 7`
b4=`rnd_from_0_to 7`
file=`rnd_path`
run_command "chmod $b1$b2$b3$b4 $file $2"
}
f_touch()
{
file=`rnd_path`
run_command "touch $file"
}
f_rm()
{
file=`rnd_path`
run_command "rm -f $file"
}
f_mkdir()
{
file=`rnd_path`
run_command "mkdir $file"
}
f_rmdir()
{
file=`rnd_path`
run_command "rmdir $file"
}
f_mv()
{
from=`rnd_path`
to=`rnd_path`
run_command "mv -f $from $to"
}
# XXX: To be implemented: chown(8), setting times with touch(1).
switch_to_random_user()
{
# XXX: To be implemented.
}
execute_random_command()
{
rnd=`rnd_from_0_to 20`
case $rnd in
0|10|11|12|13|15) cmd=f_prepend_random_acl_on ;;
1) cmd=f_getfacl ;;
2) cmd=f_ls_mode ;;
3) cmd=f_chmod ;;
4|18|19) cmd=f_touch ;;
5) cmd=f_rm ;;
6|16|17) cmd=f_mkdir ;;
7) cmd=f_rmdir ;;
8) cmd=f_mv ;;
esac
$cmd "XXX"
}
echo "# Fuzzing; will stop after $NUMBER_OF_COMMANDS commands."
TMP="aclfuzzer_`dd if=/dev/random bs=1k count=1 2>/dev/null | openssl md5`"
run_command "whoami"
umask 022
run_command "umask 022"
run_command "mkdir $TMP"
i=0;
while [ "$i" -lt "$NUMBER_OF_COMMANDS" ]; do
switch_to_random_user
execute_random_command
i=`expr $i + 1`
done
run_command "find $TMP -exec setfacl -a0 everyone@:rxd:allow {} \;"
run_command "rm -rfv $TMP"
echo "# Fuzzed, thank you."

53
tests/sys/acl/mktrivial.sh Executable file
View File

@ -0,0 +1,53 @@
#!/bin/sh
#
# Copyright (c) 2010 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This shell script generates an input file for the "run" script, used
# to verify generation of trivial ACLs.
echo "$ touch f"
touch f
for s in `jot 7 0 7`; do
for u in `jot 7 0 7`; do
for g in `jot 7 0 7`; do
for o in `jot 7 0 7`; do
echo "$ chmod 0$s$u$g$o f"
chmod "0$s$u$g$o" f
echo "$ ls -l f | cut -d' ' -f1"
ls -l f | cut -d' ' -f1 | sed 's/^/> /'
echo "$ getfacl -q f"
getfacl -q f | sed 's/^/> /'
done
done
done
done
echo "$ rm f"
rm f

329
tests/sys/acl/run Normal file
View File

@ -0,0 +1,329 @@
#!/usr/bin/perl -w -U
# Copyright (c) 2007, 2008 Andreas Gruenbacher.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions, and the following disclaimer,
# without modification, immediately at the beginning of the file.
# 2. The name of the author may not be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# Alternatively, this software may be distributed under the terms of the
# GNU Public License ("GPL").
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
#
# Possible improvements:
#
# - distinguish stdout and stderr output
# - add environment variable like assignments
# - run up to a specific line
# - resume at a specific line
#
use strict;
use FileHandle;
use Getopt::Std;
use POSIX qw(isatty setuid getcwd);
use vars qw($opt_l $opt_v);
no warnings qw(taint);
$opt_l = ~0; # a really huge number
getopts('l:v');
my ($OK, $FAILED) = ("ok", "failed");
if (isatty(fileno(STDOUT))) {
$OK = "\033[32m" . $OK . "\033[m";
$FAILED = "\033[31m\033[1m" . $FAILED . "\033[m";
}
sub exec_test($$);
sub process_test($$$$);
my ($prog, $in, $out) = ([], [], []);
my $prog_line = 0;
my ($tests, $failed) = (0,0);
my $lineno;
my $width = ($ENV{COLUMNS} || 80) >> 1;
for (;;) {
my $line = <>; $lineno++;
if (defined $line) {
# Substitute %VAR and %{VAR} with environment variables.
$line =~ s[%(\w+)][$ENV{$1}]eg;
$line =~ s[%{(\w+)}][$ENV{$1}]eg;
}
if (defined $line) {
if ($line =~ s/^\s*< ?//) {
push @$in, $line;
} elsif ($line =~ s/^\s*> ?//) {
push @$out, $line;
} else {
process_test($prog, $prog_line, $in, $out);
last if $prog_line >= $opt_l;
$prog = [];
$prog_line = 0;
}
if ($line =~ s/^\s*\$ ?//) {
$prog = [ map { s/\\(.)/$1/g; $_ } split /(?<!\\)\s+/, $line ];
$prog_line = $lineno;
$in = [];
$out = [];
}
} else {
process_test($prog, $prog_line, $in, $out);
last;
}
}
my $status = sprintf("%d commands (%d passed, %d failed)",
$tests, $tests-$failed, $failed);
if (isatty(fileno(STDOUT))) {
if ($failed) {
$status = "\033[31m\033[1m" . $status . "\033[m";
} else {
$status = "\033[32m" . $status . "\033[m";
}
}
print $status, "\n";
exit $failed ? 1 : 0;
sub process_test($$$$) {
my ($prog, $prog_line, $in, $out) = @_;
return unless @$prog;
my $p = [ @$prog ];
print "[$prog_line] \$ ", join(' ',
map { s/\s/\\$&/g; $_ } @$p), " -- ";
my $result = exec_test($prog, $in);
my @good = ();
my $nmax = (@$out > @$result) ? @$out : @$result;
for (my $n=0; $n < $nmax; $n++) {
my $use_re;
if (defined $out->[$n] && $out->[$n] =~ /^~ /) {
$use_re = 1;
$out->[$n] =~ s/^~ //g;
}
if (!defined($out->[$n]) || !defined($result->[$n]) ||
(!$use_re && $result->[$n] ne $out->[$n]) ||
( $use_re && $result->[$n] !~ /^$out->[$n]/)) {
push @good, ($use_re ? '!~' : '!=');
}
else {
push @good, ($use_re ? '=~' : '==');
}
}
my $good = !(grep /!/, @good);
$tests++;
$failed++ unless $good;
print $good ? $OK : $FAILED, "\n";
if (!$good || $opt_v) {
for (my $n=0; $n < $nmax; $n++) {
my $l = defined($out->[$n]) ? $out->[$n] : "~";
chomp $l;
my $r = defined($result->[$n]) ? $result->[$n] : "~";
chomp $r;
print sprintf("%-" . ($width-3) . "s %s %s\n",
$r, $good[$n], $l);
}
}
}
sub su($) {
my ($user) = @_;
$user ||= "root";
my ($login, $pass, $uid, $gid) = getpwnam($user)
or return [ "su: user $user does not exist\n" ];
my @groups = ();
my $fh = new FileHandle("/etc/group")
or return [ "opening /etc/group: $!\n" ];
while (<$fh>) {
chomp;
my ($group, $passwd, $gid, $users) = split /:/;
foreach my $u (split /,/, $users) {
push @groups, $gid
if ($user eq $u);
}
}
$fh->close;
my $groups = join(" ", ($gid, $gid, @groups));
#print STDERR "[[$groups]]\n";
$! = 0; # reset errno
$> = 0;
$( = $gid;
$) = $groups;
if ($!) {
return [ "su: $!\n" ];
}
if ($uid != 0) {
$> = $uid;
#$< = $uid;
if ($!) {
return [ "su: $prog->[1]: $!\n" ];
}
}
#print STDERR "[($>,$<)($(,$))]";
return [];
}
sub sg($) {
my ($group) = @_;
my $gid = getgrnam($group)
or return [ "sg: group $group does not exist\n" ];
my %groups = map { $_ eq $gid ? () : ($_ => 1) } (split /\s/, $));
#print STDERR "<<", join("/", keys %groups), ">>\n";
my $groups = join(" ", ($gid, $gid, keys %groups));
#print STDERR "[[$groups]]\n";
$! = 0; # reset errno
if ($> != 0) {
my $uid = $>;
$> = 0;
$( = $gid;
$) = $groups;
$> = $uid;
} else {
$( = $gid;
$) = $groups;
}
if ($!) {
return [ "sg: $!\n" ];
}
print STDERR "[($>,$<)($(,$))]";
return [];
}
sub exec_test($$) {
my ($prog, $in) = @_;
local (*IN, *IN_DUP, *IN2, *OUT_DUP, *OUT, *OUT2);
my $needs_shell = (join('', @$prog) =~ /[][|<>"'`\$\*\?]/);
if ($prog->[0] eq "umask") {
umask oct $prog->[1];
return [];
} elsif ($prog->[0] eq "cd") {
if (!chdir $prog->[1]) {
return [ "chdir: $prog->[1]: $!\n" ];
}
$ENV{PWD} = getcwd;
return [];
} elsif ($prog->[0] eq "su") {
return su($prog->[1]);
} elsif ($prog->[0] eq "sg") {
return sg($prog->[1]);
} elsif ($prog->[0] eq "export") {
my ($name, $value) = split /=/, $prog->[1];
# FIXME: need to evaluate $value, so that things like this will work:
# export dir=$PWD/dir
$ENV{$name} = $value;
return [];
} elsif ($prog->[0] eq "unset") {
delete $ENV{$prog->[1]};
return [];
}
pipe *IN2, *OUT
or die "Can't create pipe for reading: $!";
open *IN_DUP, "<&STDIN"
or *IN_DUP = undef;
open *STDIN, "<&IN2"
or die "Can't duplicate pipe for reading: $!";
close *IN2;
open *OUT_DUP, ">&STDOUT"
or die "Can't duplicate STDOUT: $!";
pipe *IN, *OUT2
or die "Can't create pipe for writing: $!";
open *STDOUT, ">&OUT2"
or die "Can't duplicate pipe for writing: $!";
close *OUT2;
*STDOUT->autoflush();
*OUT->autoflush();
$SIG{CHLD} = 'IGNORE';
if (fork()) {
# Server
if (*IN_DUP) {
open *STDIN, "<&IN_DUP"
or die "Can't duplicate STDIN: $!";
close *IN_DUP
or die "Can't close STDIN duplicate: $!";
}
open *STDOUT, ">&OUT_DUP"
or die "Can't duplicate STDOUT: $!";
close *OUT_DUP
or die "Can't close STDOUT duplicate: $!";
foreach my $line (@$in) {
#print "> $line";
print OUT $line;
}
close *OUT
or die "Can't close pipe for writing: $!";
my $result = [];
while (<IN>) {
#print "< $_";
if ($needs_shell) {
s#^/bin/sh: line \d+: ##;
}
push @$result, $_;
}
return $result;
} else {
# Client
$< = $>;
close IN
or die "Can't close read end for input pipe: $!";
close OUT
or die "Can't close write end for output pipe: $!";
close OUT_DUP
or die "Can't close STDOUT duplicate: $!";
local *ERR_DUP;
open ERR_DUP, ">&STDERR"
or die "Can't duplicate STDERR: $!";
open STDERR, ">&STDOUT"
or die "Can't join STDOUT and STDERR: $!";
if ($needs_shell) {
exec ('/bin/sh', '-c', join(" ", @$prog));
} else {
exec @$prog;
}
print STDERR $prog->[0], ": $!\n";
exit;
}
}

323
tests/sys/acl/tools-crossfs.test Normal file
View File

@ -0,0 +1,323 @@
# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This is a tools-level test intended to verify that cp(1) and mv(1)
# do the right thing with respect to ACLs. Run it as root using
# ACL-enabled kernel:
#
# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test
#
# You need to have three subdirectories, named nfs4, posix and none,
# with filesystems with NFSv4 ACLs, POSIX.1e ACLs and no ACLs enabled,
# respectively, mounted on them, in your current directory.
#
# WARNING: Creates files in unsafe way.
$ whoami
> root
$ umask 022
$ touch nfs4/xxx
$ getfacl -nq nfs4/xxx
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
$ touch posix/xxx
$ getfacl -nq posix/xxx
> user::rw-
> group::r--
> other::r--
# mv with POSIX.1e ACLs.
$ rm -f posix/xxx
$ rm -f posix/yyy
$ touch posix/xxx
$ chmod 456 posix/xxx
$ ls -l posix/xxx | cut -d' ' -f1
> -r--r-xrw-
$ setfacl -m u:42:x,g:43:w posix/xxx
$ mv posix/xxx posix/yyy
$ getfacl -nq posix/yyy
> user::r--
> user:42:--x
> group::r-x
> group:43:-w-
> mask::rwx
> other::rw-
$ ls -l posix/yyy | cut -d' ' -f1
> -r--rwxrw-+
# mv from POSIX.1e to none.
$ rm -f posix/xxx
$ rm -f none/xxx
$ touch posix/xxx
$ chmod 345 posix/xxx
$ setfacl -m u:42:x,g:43:w posix/xxx
$ ls -l posix/xxx | cut -d' ' -f1
> --wxrwxr-x+
$ mv posix/xxx none/xxx
> mv: failed to set acl entries for none/xxx: Operation not supported
$ ls -l none/xxx | cut -d' ' -f1
> --wxrwxr-x
# mv from POSIX.1e to NFSv4.
$ rm -f posix/xxx
$ rm -f nfs4/xxx
$ touch posix/xxx
$ chmod 456 posix/xxx
$ setfacl -m u:42:x,g:43:w posix/xxx
$ ls -l posix/xxx | cut -d' ' -f1
> -r--rwxrw-+
$ mv posix/yyy nfs4/xxx
> mv: failed to set acl entries for nfs4/xxx: Invalid argument
$ getfacl -nq nfs4/xxx
> owner@:-wxp----------:-------:deny
> owner@:r-----aARWcCos:-------:allow
> group@:rwxp--a-R-c--s:-------:allow
> everyone@:rw-p--a-R-c--s:-------:allow
$ ls -l nfs4/xxx | cut -d' ' -f1
> -r--rwxrw-
# mv with NFSv4 ACLs.
$ rm -f nfs4/xxx
$ rm -f nfs4/yyy
$ touch nfs4/xxx
$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
$ mv nfs4/xxx nfs4/yyy
$ getfacl -nq nfs4/yyy
> user:42:--x-----------:-------:allow
> group:43:-w------------:-------:allow
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
$ ls -l nfs4/yyy | cut -d' ' -f1
> -rw-r--r--+
# mv from NFSv4 to POSIX.1e without any ACLs.
$ rm -f nfs4/xxx
$ rm -f posix/xxx
$ touch nfs4/xxx
$ chmod 456 nfs4/xxx
$ ls -l nfs4/xxx | cut -d' ' -f1
> -r--r-xrw-
$ mv nfs4/xxx posix/xxx
$ ls -l posix/xxx | cut -d' ' -f1
> -r--r-xrw-
# mv from NFSv4 to none.
$ rm -f nfs4/xxx
$ rm -f none/xxx
$ touch nfs4/xxx
$ chmod 345 nfs4/xxx
$ ls -l nfs4/xxx | cut -d' ' -f1
> --wxr--r-x
$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
$ ls -l nfs4/xxx | cut -d' ' -f1
> --wxr--r-x+
$ mv nfs4/xxx none/xxx
> mv: failed to set acl entries for none/xxx: Operation not supported
$ ls -l none/xxx | cut -d' ' -f1
> --wxr--r-x
# mv from NFSv4 to POSIX.1e.
$ rm -f nfs4/xxx
$ rm -f posix/xxx
$ touch nfs4/xxx
$ chmod 345 nfs4/xxx
$ ls -l nfs4/xxx | cut -d' ' -f1
> --wxr--r-x
$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
$ ls -l nfs4/xxx | cut -d' ' -f1
> --wxr--r-x+
$ mv nfs4/xxx posix/xxx
> mv: failed to set acl entries for posix/xxx: Invalid argument
$ ls -l posix/xxx | cut -d' ' -f1
> --wxr--r-x
# cp with POSIX.1e ACLs.
$ rm -f posix/xxx
$ rm -f posix/yyy
$ touch posix/xxx
$ setfacl -m u:42:x,g:43:w posix/xxx
$ ls -l posix/xxx | cut -d' ' -f1
> -rw-rwxr--+
$ cp posix/xxx posix/yyy
$ ls -l posix/yyy | cut -d' ' -f1
> -rw-r-xr--
# cp -p with POSIX.1e ACLs.
$ rm -f posix/xxx
$ rm -f posix/yyy
$ touch posix/xxx
$ setfacl -m u:42:x,g:43:w posix/xxx
$ getfacl -nq posix/xxx
> user::rw-
> user:42:--x
> group::r--
> group:43:-w-
> mask::rwx
> other::r--
$ ls -l posix/xxx | cut -d' ' -f1
> -rw-rwxr--+
$ cp -p posix/xxx posix/yyy
$ getfacl -nq posix/yyy
> user::rw-
> user:42:--x
> group::r--
> group:43:-w-
> mask::rwx
> other::r--
$ ls -l posix/yyy | cut -d' ' -f1
> -rw-rwxr--+
# cp from POSIX.1e to none.
$ rm -f posix/xxx
$ rm -f none/xxx
$ touch posix/xxx
$ setfacl -m u:42:x,g:43:w posix/xxx
$ ls -l posix/xxx | cut -d' ' -f1
> -rw-rwxr--+
$ cp posix/xxx none/xxx
$ ls -l none/xxx | cut -d' ' -f1
> -rw-r-xr--
# cp -p from POSIX.1e to none.
$ rm -f posix/xxx
$ rm -f none/xxx
$ touch posix/xxx
$ setfacl -m u:42:x,g:43:w posix/xxx
$ ls -l posix/xxx | cut -d' ' -f1
> -rw-rwxr--+
$ cp -p posix/xxx none/xxx
> cp: failed to set acl entries for none/xxx: Operation not supported
$ ls -l none/xxx | cut -d' ' -f1
> -rw-rwxr--
# cp from POSIX.1e to NFSv4.
$ rm -f posix/xxx
$ rm -f nfs4/xxx
$ touch posix/xxx
$ setfacl -m u:42:x,g:43:w posix/xxx
$ ls -l posix/xxx | cut -d' ' -f1
> -rw-rwxr--+
$ cp posix/xxx nfs4/xxx
$ ls -l nfs4/xxx | cut -d' ' -f1
> -rw-r-xr--
# cp -p from POSIX.1e to NFSv4.
$ rm -f posix/xxx
$ rm -f nfs4/xxx
$ touch posix/xxx
$ setfacl -m u:42:x,g:43:w posix/xxx
$ ls -l posix/xxx | cut -d' ' -f1
> -rw-rwxr--+
$ cp -p posix/xxx nfs4/xxx
> cp: failed to set acl entries for nfs4/xxx: Invalid argument
$ ls -l nfs4/xxx | cut -d' ' -f1
> -rw-rwxr--
# cp with NFSv4 ACLs.
$ rm -f nfs4/xxx
$ rm -f nfs4/yyy
$ touch nfs4/xxx
$ chmod 543 nfs4/xxx
$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
$ ls -l nfs4/xxx | cut -d' ' -f1
> -r-xr---wx+
$ cp nfs4/xxx nfs4/yyy
$ ls -l nfs4/yyy | cut -d' ' -f1
> -r-xr----x
# cp -p with NFSv4 ACLs.
$ rm -f nfs4/xxx
$ rm -f nfs4/yyy
$ touch nfs4/xxx
$ chmod 543 nfs4/xxx
$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
$ cp -p nfs4/xxx nfs4/yyy
$ getfacl -nq nfs4/yyy
> user:42:--x-----------:-------:allow
> group:43:-w------------:-------:allow
> owner@:--x-----------:-------:allow
> owner@:-w-p----------:-------:deny
> group@:-wxp----------:-------:deny
> owner@:r-x---aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:-wxp--a-R-c--s:-------:allow
$ ls -l nfs4/yyy | cut -d' ' -f1
> -r-xr---wx+
# cp from NFSv4 to none.
$ rm -f nfs4/xxx
$ rm -f none/xxx
$ touch nfs4/xxx
$ chmod 543 nfs4/xxx
$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
$ ls -l nfs4/xxx | cut -d' ' -f1
> -r-xr---wx+
$ cp nfs4/xxx none/xxx
$ ls -l none/xxx | cut -d' ' -f1
> -r-xr----x
# cp -p from NFSv4 to none.
$ rm -f nfs4/xxx
$ rm -f none/xxx
$ touch nfs4/xxx
$ chmod 543 nfs4/xxx
$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
$ ls -l nfs4/xxx | cut -d' ' -f1
> -r-xr---wx+
$ cp -p nfs4/xxx none/xxx
> cp: failed to set acl entries for none/xxx: Operation not supported
$ ls -l none/xxx | cut -d' ' -f1
> -r-xr---wx
# cp from NFSv4 to POSIX.1e.
$ rm -f nfs4/xxx
$ rm -f posix/xxx
$ touch nfs4/xxx
$ chmod 543 nfs4/xxx
$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
$ ls -l nfs4/xxx | cut -d' ' -f1
> -r-xr---wx+
$ cp nfs4/xxx posix/xxx
$ ls -l posix/xxx | cut -d' ' -f1
> -r-xr----x
# cp -p from NFSv4 to POSIX.1e.
$ rm -f nfs4/xxx
$ rm -f posix/xxx
$ touch nfs4/xxx
$ chmod 543 nfs4/xxx
$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx
$ ls -l nfs4/xxx | cut -d' ' -f1
> -r-xr---wx+
$ cp -p nfs4/xxx posix/xxx
> cp: failed to set acl entries for posix/xxx: Invalid argument
$ ls -l posix/xxx | cut -d' ' -f1
> -r-xr---wx

562
tests/sys/acl/tools-nfs4-psarc.test Normal file
View File

@ -0,0 +1,562 @@
# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This is a tools-level test for NFSv4 ACL functionality with PSARC/2010/029
# semantics. Run it as root using ACL-enabled kernel:
#
# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4-psarc.test
#
# WARNING: Creates files in unsafe way.
$ whoami
> root
$ umask 022
# Smoke test for getfacl(1).
$ touch xxx
$ getfacl xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
$ getfacl -q xxx
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
# Check verbose mode formatting.
$ getfacl -v xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:read_data/write_data/append_data/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize::allow
> group@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
# Test setfacl -a.
$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> user:0:-----------C--:-------:allow
> group:1:----------c---:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Test user and group name resolving.
$ rm xxx
$ touch xxx
$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx
$ getfacl xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> user:root:-----------C--:-------:allow
> group:daemon:----------c---:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Check whether ls correctly marks files with "+".
$ ls -l xxx | cut -d' ' -f1
> -rw-r--r--+
# Test removing entries by number.
$ setfacl -x 1 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:rw-p--aARWcCos:-------:allow
> user:0:-----------C--:-------:allow
> group:1:----------c---:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Test setfacl -m.
$ setfacl -a0 everyone@:rwx:deny xxx
$ setfacl -a0 everyone@:rwx:deny xxx
$ setfacl -a0 everyone@:rwx:deny xxx
$ setfacl -m everyone@::deny xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> owner@:rw-p--aARWcCos:-------:allow
> user:0:-----------C--:-------:allow
> group:1:----------c---:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Test getfacl -i.
$ getfacl -i xxx
> # file: xxx
> # owner: root
> # group: wheel
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> owner@:rw-p--aARWcCos:-------:allow
> user:root:-----------C--:-------:allow:0
> group:daemon:----------c---:-------:deny:1
> everyone@:r-----a-R-c--s:-------:allow
# Make sure cp without any flags does not copy copy the ACL.
$ cp xxx yyy
$ ls -l yyy | cut -d' ' -f1
> -rw-r--r--
# Make sure it does with the "-p" flag.
$ rm yyy
$ cp -p xxx yyy
$ getfacl -n yyy
> # file: yyy
> # owner: root
> # group: wheel
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> owner@:rw-p--aARWcCos:-------:allow
> user:0:-----------C--:-------:allow
> group:1:----------c---:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
$ rm yyy
# Test removing entries by... by example?
$ setfacl -x everyone@::deny xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:rw-p--aARWcCos:-------:allow
> user:0:-----------C--:-------:allow
> group:1:----------c---:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Test setfacl -b.
$ setfacl -b xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
$ ls -l xxx | cut -d' ' -f1
> -rw-r--r--
# Check setfacl(1) and getfacl(1) with multiple files.
$ touch xxx yyy zzz
$ ls -l xxx yyy zzz | cut -d' ' -f1
> -rw-r--r--
> -rw-r--r--
> -rw-r--r--
$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz
> setfacl: nnn: stat() failed: No such file or directory
$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
> ls: nnn: No such file or directory
> -rw-r--r--+
> -rw-r--r--+
> -rw-r--r--+
$ getfacl -nq nnn xxx yyy zzz
> getfacl: nnn: stat() failed: No such file or directory
> user:42:--x-----------:-------:allow
> group:43:-w------------:-------:allow
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
>
> user:42:--x-----------:-------:allow
> group:43:-w------------:-------:allow
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
>
> user:42:--x-----------:-------:allow
> group:43:-w------------:-------:allow
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
$ setfacl -b nnn xxx yyy zzz
> setfacl: nnn: stat() failed: No such file or directory
$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
> ls: nnn: No such file or directory
> -rw-r--r--
> -rw-r--r--
> -rw-r--r--
$ rm xxx yyy zzz
# Test applying mode to an ACL.
$ touch xxx
$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx
$ chmod 600 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:rw-p--aARWcCos:-------:allow
> group@:------a-R-c--s:-------:allow
> everyone@:------a-R-c--s:-------:allow
$ ls -l xxx | cut -d' ' -f1
> -rw-------
$ rm xxx
$ touch xxx
$ chown 42 xxx
$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
$ chmod 600 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: 42
> # group: wheel
> owner@:rw-p--aARWcCos:-------:allow
> group@:------a-R-c--s:-------:allow
> everyone@:------a-R-c--s:-------:allow
$ ls -l xxx | cut -d' ' -f1
> -rw-------
$ rm xxx
$ touch xxx
$ chown 43 xxx
$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
$ chmod 124 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: 43
> # group: wheel
> owner@:rw-p----------:-------:deny
> group@:r-------------:-------:deny
> owner@:--x---aARWcCos:-------:allow
> group@:-w-p--a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
$ ls -l xxx | cut -d' ' -f1
> ---x-w-r--
$ rm xxx
$ touch xxx
$ chown 43 xxx
$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
$ chmod 412 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: 43
> # group: wheel
> owner@:-wxp----------:-------:deny
> group@:-w-p----------:-------:deny
> owner@:r-----aARWcCos:-------:allow
> group@:--x---a-R-c--s:-------:allow
> everyone@:-w-p--a-R-c--s:-------:allow
$ ls -l xxx | cut -d' ' -f1
> -r----x-w-
$ mkdir ddd
$ setfacl -a0 group:44:rwapd:allow ddd
$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
$ getfacl -n ddd
> # file: ddd
> # owner: root
> # group: wheel
> user:42:r-x-----------:f-i----:allow
> group:42:-w--D---------:-d-----:allow
> group:43:-w--D---------:-d-----:deny
> group@:-----da-------:-------:allow
> group:44:rw-p-da-------:-------:allow
> owner@:rwxp--aARWcCos:-------:allow
> group@:r-x---a-R-c--s:-------:allow
> everyone@:-w-p--a-R-c--s:f-i----:allow
$ chmod 777 ddd
$ getfacl -n ddd
> # file: ddd
> # owner: root
> # group: wheel
> owner@:rwxp--aARWcCos:-------:allow
> group@:rwxp--a-R-c--s:-------:allow
> everyone@:rwxp--a-R-c--s:-------:allow
# Test applying ACL to mode.
$ rmdir ddd
$ mkdir ddd
$ setfacl -a0 u:42:rwx:fi:allow ddd
$ ls -ld ddd | cut -d' ' -f1
> drwxr-xr-x+
$ rmdir ddd
$ mkdir ddd
$ chmod 0 ddd
$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd
$ ls -ld ddd | cut -d' ' -f1
> dr----x---+
$ rmdir ddd
$ mkdir ddd
$ chmod 0 ddd
$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd
$ ls -ld ddd | cut -d' ' -f1
> dr---wx---+
$ rmdir ddd
$ mkdir ddd
$ chmod 0 ddd
$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd
$ ls -ld ddd | cut -d' ' -f1
> dr--------+
$ rmdir ddd
$ mkdir ddd
$ chmod 0 ddd
$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd
$ ls -ld ddd | cut -d' ' -f1
> dr--------+
# Test inheritance.
$ rmdir ddd
$ mkdir ddd
$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd
$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd
$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd
$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd
$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd
$ getfacl -qn ddd
> user:41:-w-----A------:f--n---:allow
> group:41:r-----a-------:-din---:allow
> user:42:-----------Co-:f-i----:allow
> user:42:r-x-----------:f-i----:allow
> group:42:-w--D---------:-d-n---:deny
> group:43:-w---------C--:f-in---:deny
> user:43:rwxp----------:-------:allow
> owner@:rwxp--aARWcCos:-------:allow
> group@:r-x---a-R-c--s:-------:allow
> everyone@:r-x---a-R-c--s:-------:allow
$ cd ddd
$ touch xxx
$ getfacl -qn xxx
> user:41:--------------:------I:allow
> user:42:--------------:------I:allow
> user:42:r-------------:------I:allow
> group:43:-w---------C--:------I:deny
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
$ rm xxx
$ umask 077
$ touch xxx
$ getfacl -qn xxx
> user:41:--------------:------I:allow
> user:42:--------------:------I:allow
> user:42:--------------:------I:allow
> group:43:-w---------C--:------I:deny
> owner@:rw-p--aARWcCos:-------:allow
> group@:------a-R-c--s:-------:allow
> everyone@:------a-R-c--s:-------:allow
$ rm xxx
$ umask 770
$ touch xxx
$ getfacl -qn xxx
> owner@:rw-p----------:-------:deny
> group@:rw-p----------:-------:deny
> user:41:--------------:------I:allow
> user:42:--------------:------I:allow
> user:42:--------------:------I:allow
> group:43:-w---------C--:------I:deny
> owner@:------aARWcCos:-------:allow
> group@:------a-R-c--s:-------:allow
> everyone@:rw-p--a-R-c--s:-------:allow
$ rm xxx
$ umask 707
$ touch xxx
$ getfacl -qn xxx
> owner@:rw-p----------:-------:deny
> user:41:-w------------:------I:allow
> user:42:--------------:------I:allow
> user:42:r-------------:------I:allow
> group:43:-w---------C--:------I:deny
> owner@:------aARWcCos:-------:allow
> group@:rw-p--a-R-c--s:-------:allow
> everyone@:------a-R-c--s:-------:allow
$ umask 077
$ mkdir yyy
$ getfacl -qn yyy
> group:41:------a-------:------I:allow
> user:42:-----------Co-:f-i---I:allow
> user:42:r-x-----------:f-i---I:allow
> group:42:-w--D---------:------I:deny
> owner@:rwxp--aARWcCos:-------:allow
> group@:------a-R-c--s:-------:allow
> everyone@:------a-R-c--s:-------:allow
$ rmdir yyy
$ umask 770
$ mkdir yyy
$ getfacl -qn yyy
> owner@:rwxp----------:-------:deny
> group@:rwxp----------:-------:deny
> group:41:------a-------:------I:allow
> user:42:-----------Co-:f-i---I:allow
> user:42:r-x-----------:f-i---I:allow
> group:42:-w--D---------:------I:deny
> owner@:------aARWcCos:-------:allow
> group@:------a-R-c--s:-------:allow
> everyone@:rwxp--a-R-c--s:-------:allow
$ rmdir yyy
$ umask 707
$ mkdir yyy
$ getfacl -qn yyy
> owner@:rwxp----------:-------:deny
> group:41:r-----a-------:------I:allow
> user:42:-----------Co-:f-i---I:allow
> user:42:r-x-----------:f-i---I:allow
> group:42:-w--D---------:------I:deny
> owner@:------aARWcCos:-------:allow
> group@:rwxp--a-R-c--s:-------:allow
> everyone@:------a-R-c--s:-------:allow
# There is some complication regarding how write_acl and write_owner flags
# get inherited. Make sure we got it right.
$ setfacl -b .
$ setfacl -a0 u:42:Co:f:allow .
$ setfacl -a0 u:43:Co:d:allow .
$ setfacl -a0 u:44:Co:fd:allow .
$ setfacl -a0 u:45:Co:fi:allow .
$ setfacl -a0 u:46:Co:di:allow .
$ setfacl -a0 u:47:Co:fdi:allow .
$ setfacl -a0 u:48:Co:fn:allow .
$ setfacl -a0 u:49:Co:dn:allow .
$ setfacl -a0 u:50:Co:fdn:allow .
$ setfacl -a0 u:51:Co:fni:allow .
$ setfacl -a0 u:52:Co:dni:allow .
$ setfacl -a0 u:53:Co:fdni:allow .
$ umask 022
$ rm xxx
$ touch xxx
$ getfacl -nq xxx
> user:53:--------------:------I:allow
> user:51:--------------:------I:allow
> user:50:--------------:------I:allow
> user:48:--------------:------I:allow
> user:47:--------------:------I:allow
> user:45:--------------:------I:allow
> user:44:--------------:------I:allow
> user:42:--------------:------I:allow
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
$ rmdir yyy
$ mkdir yyy
$ getfacl -nq yyy
> user:53:--------------:------I:allow
> user:52:--------------:------I:allow
> user:50:--------------:------I:allow
> user:49:--------------:------I:allow
> user:47:--------------:fd----I:allow
> user:46:--------------:-d----I:allow
> user:45:-----------Co-:f-i---I:allow
> user:44:--------------:fd----I:allow
> user:43:--------------:-d----I:allow
> user:42:-----------Co-:f-i---I:allow
> owner@:rwxp--aARWcCos:-------:allow
> group@:r-x---a-R-c--s:-------:allow
> everyone@:r-x---a-R-c--s:-------:allow
$ setfacl -b .
$ setfacl -a0 u:42:Co:f:deny .
$ setfacl -a0 u:43:Co:d:deny .
$ setfacl -a0 u:44:Co:fd:deny .
$ setfacl -a0 u:45:Co:fi:deny .
$ setfacl -a0 u:46:Co:di:deny .
$ setfacl -a0 u:47:Co:fdi:deny .
$ setfacl -a0 u:48:Co:fn:deny .
$ setfacl -a0 u:49:Co:dn:deny .
$ setfacl -a0 u:50:Co:fdn:deny .
$ setfacl -a0 u:51:Co:fni:deny .
$ setfacl -a0 u:52:Co:dni:deny .
$ setfacl -a0 u:53:Co:fdni:deny .
$ umask 022
$ rm xxx
$ touch xxx
$ getfacl -nq xxx
> user:53:-----------Co-:------I:deny
> user:51:-----------Co-:------I:deny
> user:50:-----------Co-:------I:deny
> user:48:-----------Co-:------I:deny
> user:47:-----------Co-:------I:deny
> user:45:-----------Co-:------I:deny
> user:44:-----------Co-:------I:deny
> user:42:-----------Co-:------I:deny
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
$ rmdir yyy
$ mkdir yyy
$ getfacl -nq yyy
> user:53:-----------Co-:------I:deny
> user:52:-----------Co-:------I:deny
> user:50:-----------Co-:------I:deny
> user:49:-----------Co-:------I:deny
> user:47:-----------Co-:fd----I:deny
> user:46:-----------Co-:-d----I:deny
> user:45:-----------Co-:f-i---I:deny
> user:44:-----------Co-:fd----I:deny
> user:43:-----------Co-:-d----I:deny
> user:42:-----------Co-:f-i---I:deny
> owner@:rwxp--aARWcCos:-------:allow
> group@:r-x---a-R-c--s:-------:allow
> everyone@:r-x---a-R-c--s:-------:allow
$ rmdir yyy
$ rm xxx
$ cd ..
$ rmdir ddd
$ rm xxx

82
tests/sys/acl/tools-nfs4-trivial.test Normal file
View File

@ -0,0 +1,82 @@
# Copyright (c) 2011 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This is a tools-level test for acl_is_trivial_np(3). Run it as root on ZFS.
# Note that this does not work on UFS with NFSv4 ACLs enabled - UFS recognizes
# both kind of trivial ACLs and replaces it by the default one.
#
# WARNING: Creates files in unsafe way.
$ whoami
> root
$ umask 022
# Check whether ls(1) correctly recognizes PSARC/2010/029-style trivial ACLs.
$ touch xxx
$ ls -l xxx | cut -d' ' -f1
> -rw-r--r--
$ getfacl -q xxx
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
# Check whether ls(1) correctly recognizes draft-style trivial ACLs.
$ rm xxx
$ touch xxx
$ setfacl -a0 owner@:x:deny,owner@:rwpAWCo:allow,group@:wxp:deny,group@:r:allow,everyone@:wxpAWCo:deny,everyone@:raRcs:allow xxx
$ setfacl -x5 xxx
$ setfacl -x5 xxx
$ setfacl -x5 xxx
$ ls -l xxx | cut -d' ' -f1
> -rw-r--r--
$ getfacl -q xxx
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Make sure ls(1) actually can recognize something as non-trivial.
$ setfacl -x0 xxx
$ ls -l xxx | cut -d' ' -f1
> -rw-r--r--+
$ getfacl -q xxx
> owner@:rw-p---A-W-Co-:-------:allow
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
$ rm xxx

828
tests/sys/acl/tools-nfs4.test Normal file
View File

@ -0,0 +1,828 @@
# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This is a tools-level test for NFSv4 ACL functionality. Run it as root
# using ACL-enabled kernel:
#
# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test
#
# WARNING: Creates files in unsafe way.
$ whoami
> root
$ umask 022
# Smoke test for getfacl(1).
$ touch xxx
$ getfacl xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
$ getfacl -q xxx
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Check verbose mode formatting.
$ getfacl -v xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:execute::deny
> owner@:read_data/write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
> group@:write_data/execute/append_data::deny
> group@:read_data::allow
> everyone@:write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::deny
> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
# Test setfacl -a.
$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> user:0:-----------C--:-------:allow
> group:1:----------c---:-------:deny
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Test user and group name resolving.
$ rm xxx
$ touch xxx
$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx
$ getfacl xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> user:root:-----------C--:-------:allow
> group:daemon:----------c---:-------:deny
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Check whether ls correctly marks files with "+".
$ ls -l xxx | cut -d' ' -f1
> -rw-r--r--+
# Test removing entries by number.
$ setfacl -x 4 xxx
$ setfacl -x 4 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> user:0:-----------C--:-------:allow
> group:1:----------c---:-------:deny
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Test setfacl -m.
$ setfacl -a0 everyone@:rwx:deny xxx
$ setfacl -a0 everyone@:rwx:deny xxx
$ setfacl -a0 everyone@:rwx:deny xxx
$ setfacl -m everyone@::deny xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> user:0:-----------C--:-------:allow
> group:1:----------c---:-------:deny
> everyone@:--------------:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Test getfacl -i.
$ getfacl -i xxx
> # file: xxx
> # owner: root
> # group: wheel
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> user:root:-----------C--:-------:allow:0
> group:daemon:----------c---:-------:deny:1
> everyone@:--------------:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Make sure cp without any flags does not copy copy the ACL.
$ cp xxx yyy
$ ls -l yyy | cut -d' ' -f1
> -rw-r--r--
# Make sure it does with the "-p" flag.
$ rm yyy
$ cp -p xxx yyy
$ getfacl -n yyy
> # file: yyy
> # owner: root
> # group: wheel
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> everyone@:--------------:-------:deny
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> user:0:-----------C--:-------:allow
> group:1:----------c---:-------:deny
> everyone@:--------------:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
$ rm yyy
# Test removing entries by... by example?
$ setfacl -x everyone@::deny xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> user:0:-----------C--:-------:allow
> group:1:----------c---:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
# Test setfacl -b.
$ setfacl -b xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
$ ls -l xxx | cut -d' ' -f1
> -rw-r--r--
# Check setfacl(1) and getfacl(1) with multiple files.
$ touch xxx yyy zzz
$ ls -l xxx yyy zzz | cut -d' ' -f1
> -rw-r--r--
> -rw-r--r--
> -rw-r--r--
$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz
> setfacl: nnn: stat() failed: No such file or directory
$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
> ls: nnn: No such file or directory
> -rw-r--r--+
> -rw-r--r--+
> -rw-r--r--+
$ getfacl -nq nnn xxx yyy zzz
> getfacl: nnn: stat() failed: No such file or directory
> user:42:--x-----------:-------:allow
> group:43:-w------------:-------:allow
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
>
> user:42:--x-----------:-------:allow
> group:43:-w------------:-------:allow
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
>
> user:42:--x-----------:-------:allow
> group:43:-w------------:-------:allow
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
$ setfacl -b nnn xxx yyy zzz
> setfacl: nnn: stat() failed: No such file or directory
$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
> ls: nnn: No such file or directory
> -rw-r--r--
> -rw-r--r--
> -rw-r--r--
$ rm xxx yyy zzz
# Test applying mode to an ACL.
$ touch xxx
$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx
$ chmod 600 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> user:42:r-------------:-------:deny
> user:42:r-------------:-------:allow
> user:43:-w------------:-------:deny
> user:43:-w------------:-------:allow
> user:44:--x-----------:-------:deny
> user:44:--x-----------:-------:allow
> owner@:--------------:-------:deny
> owner@:-------A-W-Co-:-------:allow
> group@:--------------:-------:deny
> group@:--------------:-------:allow
> everyone@:-------A-W-Co-:-------:deny
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:rwxp----------:-------:deny
> group@:--------------:-------:allow
> everyone@:rwxp---A-W-Co-:-------:deny
> everyone@:------a-R-c--s:-------:allow
$ ls -l xxx | cut -d' ' -f1
> -rw-------+
$ rm xxx
$ touch xxx
$ chown 42 xxx
$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
$ chmod 600 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: 42
> # group: wheel
> user:42:--------------:-------:deny
> user:42:r-------------:-------:allow
> user:43:-w------------:-------:deny
> user:43:-w------------:-------:allow
> user:44:--x-----------:-------:deny
> user:44:--x-----------:-------:allow
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:rwxp----------:-------:deny
> group@:--------------:-------:allow
> everyone@:rwxp---A-W-Co-:-------:deny
> everyone@:------a-R-c--s:-------:allow
$ ls -l xxx | cut -d' ' -f1
> -rw-------+
$ rm xxx
$ touch xxx
$ chown 43 xxx
$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
$ chmod 124 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: 43
> # group: wheel
> user:42:r-------------:-------:deny
> user:42:r-------------:-------:allow
> user:43:-w------------:-------:deny
> user:43:-w------------:-------:allow
> user:44:--x-----------:-------:deny
> user:44:--x-----------:-------:allow
> owner@:rw-p----------:-------:deny
> owner@:--x----A-W-Co-:-------:allow
> group@:r-x-----------:-------:deny
> group@:-w-p----------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
$ ls -l xxx | cut -d' ' -f1
> ---x-w-r--+
$ rm xxx
$ touch xxx
$ chown 43 xxx
$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
$ chmod 412 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: 43
> # group: wheel
> user:42:r-------------:-------:deny
> user:42:r-------------:-------:allow
> user:43:-w------------:-------:deny
> user:43:-w------------:-------:allow
> user:44:--------------:-------:deny
> user:44:--x-----------:-------:allow
> owner@:-wxp----------:-------:deny
> owner@:r------A-W-Co-:-------:allow
> group@:rw-p----------:-------:deny
> group@:--x-----------:-------:allow
> everyone@:r-x----A-W-Co-:-------:deny
> everyone@:-w-p--a-R-c--s:-------:allow
$ ls -l xxx | cut -d' ' -f1
> -r----x-w-+
$ mkdir ddd
$ setfacl -a0 group:44:rwapd:allow ddd
$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
$ getfacl -n ddd
> # file: ddd
> # owner: root
> # group: wheel
> user:42:r-x-----------:f-i----:allow
> group:42:-w--D---------:-d-----:allow
> group:43:-w--D---------:-d-----:deny
> group@:-----da-------:-------:allow
> group:44:rw-p-da-------:-------:allow
> owner@:--------------:-------:deny
> owner@:rwxp---A-W-Co-:-------:allow
> group@:-w-p----------:-------:deny
> group@:r-x-----------:-------:allow
> everyone@:-w-p---A-W-Co-:-------:deny
> everyone@:-w-p--a-R-c--s:f-i----:allow
$ chmod 777 ddd
$ getfacl -n ddd
> # file: ddd
> # owner: root
> # group: wheel
> user:42:r-x-----------:f-i----:allow
> group:42:-w--D---------:-di----:allow
> group:42:--------------:-------:deny
> group:42:-w--D---------:-------:allow
> group:43:-w--D---------:-di----:deny
> group:43:-w--D---------:-------:deny
> group@:-----da-------:-------:allow
> group:44:--------------:-------:deny
> group:44:rw-p-da-------:-------:allow
> owner@:--------------:-------:deny
> owner@:-------A-W-Co-:-------:allow
> group@:--------------:-------:deny
> group@:--------------:-------:allow
> everyone@:-------A-W-Co-:-------:deny
> everyone@:-w-p--a-R-c--s:f-i----:allow
> owner@:--------------:-------:deny
> owner@:rwxp---A-W-Co-:-------:allow
> group@:--------------:-------:deny
> group@:rwxp----------:-------:allow
> everyone@:-------A-W-Co-:-------:deny
> everyone@:rwxp--a-R-c--s:-------:allow
$ rmdir ddd
$ mkdir ddd
$ setfacl -a0 group:44:rwapd:allow ddd
$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
$ chmod 124 ddd
$ getfacl -n ddd
> # file: ddd
> # owner: root
> # group: wheel
> user:42:r-x-----------:f-i----:allow
> group:42:-w--D---------:-di----:allow
> group:42:--------------:-------:deny
> group:42:----D---------:-------:allow
> group:43:-w--D---------:-di----:deny
> group:43:-w--D---------:-------:deny
> group@:-----da-------:-------:allow
> group:44:r-------------:-------:deny
> group:44:r----da-------:-------:allow
> owner@:--------------:-------:deny
> owner@:-------A-W-Co-:-------:allow
> group@:--------------:-------:deny
> group@:--------------:-------:allow
> everyone@:-------A-W-Co-:-------:deny
> everyone@:-w-p--a-R-c--s:f-i----:allow
> owner@:rw-p----------:-------:deny
> owner@:--x----A-W-Co-:-------:allow
> group@:r-x-----------:-------:deny
> group@:-w-p----------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
$ rmdir ddd
$ mkdir ddd
$ setfacl -a0 group:44:rwapd:allow ddd
$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
$ chmod 412 ddd
$ getfacl -n ddd
> # file: ddd
> # owner: root
> # group: wheel
> user:42:r-------------:-------:deny
> user:42:r-x-----------:-------:allow
> user:42:r-x-----------:f-i----:allow
> group:42:-w--D---------:-di----:allow
> group:42:-w------------:-------:deny
> group:42:-w--D---------:-------:allow
> group:43:-w--D---------:-di----:deny
> group:43:-w--D---------:-------:deny
> group@:-----da-------:-------:allow
> group:44:rw-p----------:-------:deny
> group:44:rw-p-da-------:-------:allow
> owner@:--------------:-------:deny
> owner@:-------A-W-Co-:-------:allow
> group@:--------------:-------:deny
> group@:--------------:-------:allow
> everyone@:-------A-W-Co-:-------:deny
> everyone@:-w-p--a-R-c--s:f-i----:allow
> owner@:-wxp----------:-------:deny
> owner@:r------A-W-Co-:-------:allow
> group@:rw-p----------:-------:deny
> group@:--x-----------:-------:allow
> everyone@:r-x----A-W-Co-:-------:deny
> everyone@:-w-p--a-R-c--s:-------:allow
$ rmdir ddd
$ mkdir ddd
$ setfacl -a0 group:44:rwapd:allow ddd
$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
$ chown 42 ddd
$ chmod 412 ddd
$ getfacl -n ddd
> # file: ddd
> # owner: 42
> # group: wheel
> user:42:--x-----------:-------:deny
> user:42:r-x-----------:-------:allow
> user:42:r-x-----------:f-i----:allow
> group:42:-w--D---------:-di----:allow
> group:42:-w------------:-------:deny
> group:42:-w--D---------:-------:allow
> group:43:-w--D---------:-di----:deny
> group:43:-w--D---------:-------:deny
> group@:-----da-------:-------:allow
> group:44:rw-p----------:-------:deny
> group:44:rw-p-da-------:-------:allow
> owner@:--------------:-------:deny
> owner@:-------A-W-Co-:-------:allow
> group@:--------------:-------:deny
> group@:--------------:-------:allow
> everyone@:-------A-W-Co-:-------:deny
> everyone@:-w-p--a-R-c--s:f-i----:allow
> owner@:-wxp----------:-------:deny
> owner@:r------A-W-Co-:-------:allow
> group@:rw-p----------:-------:deny
> group@:--x-----------:-------:allow
> everyone@:r-x----A-W-Co-:-------:deny
> everyone@:-w-p--a-R-c--s:-------:allow
# Test applying ACL to mode.
$ rmdir ddd
$ mkdir ddd
$ setfacl -a0 u:42:rwx:fi:allow ddd
$ ls -ld ddd | cut -d' ' -f1
> drwxr-xr-x+
$ rmdir ddd
$ mkdir ddd
$ chmod 0 ddd
$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd
$ ls -ld ddd | cut -d' ' -f1
> dr----x---+
$ rmdir ddd
$ mkdir ddd
$ chmod 0 ddd
$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd
$ ls -ld ddd | cut -d' ' -f1
> dr---wx---+
$ rmdir ddd
$ mkdir ddd
$ chmod 0 ddd
$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd
$ ls -ld ddd | cut -d' ' -f1
> dr--------+
$ rmdir ddd
$ mkdir ddd
$ chmod 0 ddd
$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd
$ ls -ld ddd | cut -d' ' -f1
> dr--------+
# Test inheritance.
$ rmdir ddd
$ mkdir ddd
$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd
$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd
$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd
$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd
$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd
$ getfacl -qn ddd
> user:41:-w-----A------:f--n---:allow
> group:41:r-----a-------:-din---:allow
> user:42:-----------Co-:f-i----:allow
> user:42:r-x-----------:f-i----:allow
> group:42:-w--D---------:-d-n---:deny
> group:43:-w---------C--:f-in---:deny
> user:43:rwxp----------:-------:allow
> owner@:--------------:-------:deny
> owner@:rwxp---A-W-Co-:-------:allow
> group@:-w-p----------:-------:deny
> group@:r-x-----------:-------:allow
> everyone@:-w-p---A-W-Co-:-------:deny
> everyone@:r-x---a-R-c--s:-------:allow
$ cd ddd
$ touch xxx
$ getfacl -qn xxx
> user:41:-w------------:-------:deny
> user:41:-w-----A------:-------:allow
> user:42:--------------:-------:deny
> user:42:--------------:-------:allow
> user:42:--x-----------:-------:deny
> user:42:r-x-----------:-------:allow
> group:43:-w---------C--:-------:deny
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
$ rm xxx
$ umask 077
$ touch xxx
$ getfacl -qn xxx
> user:41:-w------------:-------:deny
> user:41:-w-----A------:-------:allow
> user:42:--------------:-------:deny
> user:42:--------------:-------:allow
> user:42:r-x-----------:-------:deny
> user:42:r-x-----------:-------:allow
> group:43:-w---------C--:-------:deny
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:rwxp----------:-------:deny
> group@:--------------:-------:allow
> everyone@:rwxp---A-W-Co-:-------:deny
> everyone@:------a-R-c--s:-------:allow
$ rm xxx
$ umask 770
$ touch xxx
$ getfacl -qn xxx
> user:41:-w------------:-------:deny
> user:41:-w-----A------:-------:allow
> user:42:--------------:-------:deny
> user:42:--------------:-------:allow
> user:42:r-x-----------:-------:deny
> user:42:r-x-----------:-------:allow
> group:43:-w---------C--:-------:deny
> owner@:rwxp----------:-------:deny
> owner@:-------A-W-Co-:-------:allow
> group@:rwxp----------:-------:deny
> group@:--------------:-------:allow
> everyone@:--x----A-W-Co-:-------:deny
> everyone@:rw-p--a-R-c--s:-------:allow
$ rm xxx
$ umask 707
$ touch xxx
$ getfacl -qn xxx
> user:41:--------------:-------:deny
> user:41:-w-----A------:-------:allow
> user:42:--------------:-------:deny
> user:42:--------------:-------:allow
> user:42:--x-----------:-------:deny
> user:42:r-x-----------:-------:allow
> group:43:-w---------C--:-------:deny
> owner@:rwxp----------:-------:deny
> owner@:-------A-W-Co-:-------:allow
> group@:--x-----------:-------:deny
> group@:rw-p----------:-------:allow
> everyone@:rwxp---A-W-Co-:-------:deny
> everyone@:------a-R-c--s:-------:allow
$ umask 077
$ mkdir yyy
$ getfacl -qn yyy
> group:41:r-------------:-------:deny
> group:41:r-----a-------:-------:allow
> user:42:-----------Co-:f-i----:allow
> user:42:r-x-----------:f-i----:allow
> group:42:-w--D---------:-------:deny
> owner@:--------------:-------:deny
> owner@:rwxp---A-W-Co-:-------:allow
> group@:rwxp----------:-------:deny
> group@:--------------:-------:allow
> everyone@:rwxp---A-W-Co-:-------:deny
> everyone@:------a-R-c--s:-------:allow
$ rmdir yyy
$ umask 770
$ mkdir yyy
$ getfacl -qn yyy
> group:41:r-------------:-------:deny
> group:41:r-----a-------:-------:allow
> user:42:-----------Co-:f-i----:allow
> user:42:r-x-----------:f-i----:allow
> group:42:-w--D---------:-------:deny
> owner@:rwxp----------:-------:deny
> owner@:-------A-W-Co-:-------:allow
> group@:rwxp----------:-------:deny
> group@:--------------:-------:allow
> everyone@:-------A-W-Co-:-------:deny
> everyone@:rwxp--a-R-c--s:-------:allow
$ rmdir yyy
$ umask 707
$ mkdir yyy
$ getfacl -qn yyy
> group:41:--------------:-------:deny
> group:41:------a-------:-------:allow
> user:42:-----------Co-:f-i----:allow
> user:42:r-x-----------:f-i----:allow
> group:42:-w--D---------:-------:deny
> owner@:rwxp----------:-------:deny
> owner@:-------A-W-Co-:-------:allow
> group@:--------------:-------:deny
> group@:rwxp----------:-------:allow
> everyone@:rwxp---A-W-Co-:-------:deny
> everyone@:------a-R-c--s:-------:allow
# There is some complication regarding how write_acl and write_owner flags
# get inherited. Make sure we got it right.
$ setfacl -b .
$ setfacl -a0 u:42:Co:f:allow .
$ setfacl -a0 u:43:Co:d:allow .
$ setfacl -a0 u:44:Co:fd:allow .
$ setfacl -a0 u:45:Co:fi:allow .
$ setfacl -a0 u:46:Co:di:allow .
$ setfacl -a0 u:47:Co:fdi:allow .
$ setfacl -a0 u:48:Co:fn:allow .
$ setfacl -a0 u:49:Co:dn:allow .
$ setfacl -a0 u:50:Co:fdn:allow .
$ setfacl -a0 u:51:Co:fni:allow .
$ setfacl -a0 u:52:Co:dni:allow .
$ setfacl -a0 u:53:Co:fdni:allow .
$ umask 022
$ rm xxx
$ touch xxx
$ getfacl -nq xxx
> user:53:--------------:-------:deny
> user:53:--------------:-------:allow
> user:51:--------------:-------:deny
> user:51:--------------:-------:allow
> user:50:--------------:-------:deny
> user:50:--------------:-------:allow
> user:48:--------------:-------:deny
> user:48:--------------:-------:allow
> user:47:--------------:-------:deny
> user:47:--------------:-------:allow
> user:45:--------------:-------:deny
> user:45:--------------:-------:allow
> user:44:--------------:-------:deny
> user:44:--------------:-------:allow
> user:42:--------------:-------:deny
> user:42:--------------:-------:allow
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
$ rmdir yyy
$ mkdir yyy
$ getfacl -nq yyy
> user:53:--------------:-------:deny
> user:53:--------------:-------:allow
> user:52:--------------:-------:deny
> user:52:--------------:-------:allow
> user:50:--------------:-------:deny
> user:50:--------------:-------:allow
> user:49:--------------:-------:deny
> user:49:--------------:-------:allow
> user:47:-----------Co-:fdi----:allow
> user:47:--------------:-------:deny
> user:47:--------------:-------:allow
> user:46:-----------Co-:-di----:allow
> user:46:--------------:-------:deny
> user:46:--------------:-------:allow
> user:45:-----------Co-:f-i----:allow
> user:44:-----------Co-:fdi----:allow
> user:44:--------------:-------:deny
> user:44:--------------:-------:allow
> user:43:-----------Co-:-di----:allow
> user:43:--------------:-------:deny
> user:43:--------------:-------:allow
> user:42:-----------Co-:f-i----:allow
> owner@:--------------:-------:deny
> owner@:rwxp---A-W-Co-:-------:allow
> group@:-w-p----------:-------:deny
> group@:r-x-----------:-------:allow
> everyone@:-w-p---A-W-Co-:-------:deny
> everyone@:r-x---a-R-c--s:-------:allow
$ setfacl -b .
$ setfacl -a0 u:42:Co:f:deny .
$ setfacl -a0 u:43:Co:d:deny .
$ setfacl -a0 u:44:Co:fd:deny .
$ setfacl -a0 u:45:Co:fi:deny .
$ setfacl -a0 u:46:Co:di:deny .
$ setfacl -a0 u:47:Co:fdi:deny .
$ setfacl -a0 u:48:Co:fn:deny .
$ setfacl -a0 u:49:Co:dn:deny .
$ setfacl -a0 u:50:Co:fdn:deny .
$ setfacl -a0 u:51:Co:fni:deny .
$ setfacl -a0 u:52:Co:dni:deny .
$ setfacl -a0 u:53:Co:fdni:deny .
$ umask 022
$ rm xxx
$ touch xxx
$ getfacl -nq xxx
> user:53:-----------Co-:-------:deny
> user:51:-----------Co-:-------:deny
> user:50:-----------Co-:-------:deny
> user:48:-----------Co-:-------:deny
> user:47:-----------Co-:-------:deny
> user:45:-----------Co-:-------:deny
> user:44:-----------Co-:-------:deny
> user:42:-----------Co-:-------:deny
> owner@:--x-----------:-------:deny
> owner@:rw-p---A-W-Co-:-------:allow
> group@:-wxp----------:-------:deny
> group@:r-------------:-------:allow
> everyone@:-wxp---A-W-Co-:-------:deny
> everyone@:r-----a-R-c--s:-------:allow
$ rmdir yyy
$ mkdir yyy
$ getfacl -nq yyy
> user:53:-----------Co-:-------:deny
> user:52:-----------Co-:-------:deny
> user:50:-----------Co-:-------:deny
> user:49:-----------Co-:-------:deny
> user:47:-----------Co-:fdi----:deny
> user:47:-----------Co-:-------:deny
> user:46:-----------Co-:-di----:deny
> user:46:-----------Co-:-------:deny
> user:45:-----------Co-:f-i----:deny
> user:44:-----------Co-:fdi----:deny
> user:44:-----------Co-:-------:deny
> user:43:-----------Co-:-di----:deny
> user:43:-----------Co-:-------:deny
> user:42:-----------Co-:f-i----:deny
> owner@:--------------:-------:deny
> owner@:rwxp---A-W-Co-:-------:allow
> group@:-w-p----------:-------:deny
> group@:r-x-----------:-------:allow
> everyone@:-w-p---A-W-Co-:-------:deny
> everyone@:r-x---a-R-c--s:-------:allow
$ rmdir yyy
$ rm xxx
$ cd ..
$ rmdir ddd
$ rm xxx

453
tests/sys/acl/tools-posix.test Normal file
View File

@ -0,0 +1,453 @@
# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
#
# This is a tools-level test for POSIX.1e ACL functionality. Run it as root
# using ACL-enabled kernel:
#
# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test
#
# WARNING: Creates files in unsafe way.
$ whoami
> root
$ umask 022
# Smoke test for getfacl(1).
$ touch xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> user::rw-
> group::r--
> other::r--
$ getfacl -q xxx
> user::rw-
> group::r--
> other::r--
$ setfacl -m u:42:r,g:43:w xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> user::rw-
> user:42:r--
> group::r--
> group:43:-w-
> mask::rw-
> other::r--
# Check whether ls correctly marks files with "+".
$ ls -l xxx | cut -d' ' -f1
> -rw-rw-r--+
# Same as above, but for symlinks.
$ ln -s xxx lll
$ getfacl -h lll
> # file: lll
> # owner: root
> # group: wheel
> user::rwx
> group::r-x
> other::r-x
$ getfacl -qh lll
> user::rwx
> group::r-x
> other::r-x
$ getfacl -q lll
> user::rw-
> user:42:r--
> group::r--
> group:43:-w-
> mask::rw-
> other::r--
$ setfacl -hm u:44:x,g:45:w lll
$ getfacl -h lll
> # file: lll
> # owner: root
> # group: wheel
> user::rwx
> user:44:--x
> group::r-x
> group:45:-w-
> mask::rwx
> other::r-x
$ ls -l lll | cut -d' ' -f1
> lrwxrwxr-x+
# Check whether the original file is left untouched.
$ ls -l xxx | cut -d' ' -f1
> -rw-rw-r--+
$ rm lll
# Test removing entries.
$ setfacl -x user:42: xxx
$ getfacl xxx
> # file: xxx
> # owner: root
> # group: wheel
> user::rw-
> group::r--
> group:43:-w-
> mask::rw-
> other::r--
$ setfacl -m u:42:r xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> user::rw-
> user:42:r--
> group::r--
> group:43:-w-
> mask::rw-
> other::r--
# Test removing entries by number.
$ setfacl -x 1 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> user::rw-
> group::r--
> group:43:-w-
> mask::rw-
> other::r--
$ setfacl -m g:43:r xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> user::rw-
> group::r--
> group:43:r--
> mask::r--
> other::r--
# Make sure cp without any flags does not copy the ACL.
$ cp xxx yyy
$ ls -l yyy | cut -d' ' -f1
> -rw-r--r--
# Make sure it does with the "-p" flag.
$ rm yyy
$ cp -p xxx yyy
$ getfacl -n yyy
> # file: yyy
> # owner: root
> # group: wheel
> user::rw-
> group::r--
> group:43:r--
> mask::r--
> other::r--
$ rm yyy
# Test removing entries by... by example?
$ setfacl -m u:42:r,g:43:w xxx
$ setfacl -x u:42: xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> user::rw-
> group::r--
> group:43:-w-
> mask::rw-
> other::r--
# Test setfacl -b.
$ setfacl -b xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> user::rw-
> group::r--
> mask::r--
> other::r--
$ ls -l xxx | cut -d' ' -f1
> -rw-r--r--+
$ setfacl -nb xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> user::rw-
> group::r--
> other::r--
$ ls -l xxx | cut -d' ' -f1
> -rw-r--r--
# Check setfacl(1) and getfacl(1) with multiple files.
$ touch xxx yyy zzz
$ ls -l xxx yyy zzz | cut -d' ' -f1
> -rw-r--r--
> -rw-r--r--
> -rw-r--r--
$ setfacl -m u:42:x,g:43:w nnn xxx yyy zzz
> setfacl: nnn: stat() failed: No such file or directory
$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
> ls: nnn: No such file or directory
> -rw-rwxr--+
> -rw-rwxr--+
> -rw-rwxr--+
$ getfacl -nq nnn xxx yyy zzz
> getfacl: nnn: stat() failed: No such file or directory
> user::rw-
> user:42:--x
> group::r--
> group:43:-w-
> mask::rwx
> other::r--
>
> user::rw-
> user:42:--x
> group::r--
> group:43:-w-
> mask::rwx
> other::r--
>
> user::rw-
> user:42:--x
> group::r--
> group:43:-w-
> mask::rwx
> other::r--
$ setfacl -b nnn xxx yyy zzz
> setfacl: nnn: stat() failed: No such file or directory
$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
> ls: nnn: No such file or directory
> -rw-r--r--+
> -rw-r--r--+
> -rw-r--r--+
$ setfacl -bn nnn xxx yyy zzz
> setfacl: nnn: stat() failed: No such file or directory
$ ls -l nnn xxx yyy zzz | cut -d' ' -f1
> ls: nnn: No such file or directory
> -rw-r--r--
> -rw-r--r--
> -rw-r--r--
$ rm xxx yyy zzz
# Check whether chmod actually does what it should do.
$ touch xxx
$ setfacl -m u:42:rwx,g:43:rwx xxx
$ chmod 600 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> user::rw-
> user:42:rwx # effective: ---
> group::r-- # effective: ---
> group:43:rwx # effective: ---
> mask::---
> other::---
$ chmod 060 xxx
$ getfacl -n xxx
> # file: xxx
> # owner: root
> # group: wheel
> user::---
> user:42:rwx # effective: rw-
> group::r--
> group:43:rwx # effective: rw-
> mask::rw-
> other::---
# Test default ACLs.
$ umask 022
$ mkdir ddd
$ getfacl -qn ddd
> user::rwx
> group::r-x
> other::r-x
$ ls -l | grep ddd | cut -d' ' -f1
> drwxr-xr-x
$ getfacl -dq ddd
$ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd
$ getfacl -dqn ddd
> user::rwx
> group::r-x
> mask::rwx
> other::r-x
# No change - ls(1) output doesn't take into account default ACLs.
$ ls -l | grep ddd | cut -d' ' -f1
> drwxr-xr-x
$ setfacl -dm g:42:rwx,u:42:r ddd
$ setfacl -dm g::w ddd
$ getfacl -dqn ddd
> user::rwx
> user:42:r--
> group::-w-
> group:42:rwx
> mask::rwx
> other::r-x
$ setfacl -dx group:42: ddd
$ getfacl -dqn ddd
> user::rwx
> user:42:r--
> group::-w-
> mask::rw-
> other::r-x
$ ls -l | grep ddd | cut -d' ' -f1
> drwxr-xr-x
$ rmdir ddd
$ rm xxx
# Test inheritance.
$ mkdir ddd
$ touch ddd/xxx
$ getfacl -q ddd/xxx
> user::rw-
> group::r--
> other::r--
$ mkdir ddd/ddd
$ getfacl -q ddd/ddd
> user::rwx
> group::r-x
> other::r-x
$ rmdir ddd/ddd
$ rm ddd/xxx
$ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd
$ setfacl -dm g:42:rwx,u:43:r ddd
$ getfacl -dq ddd
> user::rwx
> user:43:r--
> group::r-x
> group:42:rwx
> mask::rwx
> other::r-x
$ touch ddd/xxx
$ getfacl -q ddd/xxx
> user::rw-
> user:43:r--
> group::r-x # effective: r--
> group:42:rwx # effective: r--
> mask::r--
> other::r--
$ mkdir ddd/ddd
$ getfacl -q ddd/ddd
> user::rwx
> user:43:r--
> group::r-x
> group:42:rwx # effective: r-x
> mask::r-x
> other::r-x
$ rmdir ddd/ddd
$ rm ddd/xxx
$ rmdir ddd
# Test if we deal properly with fifos.
$ mkfifo fff
$ ls -l fff | cut -d' ' -f1
> prw-r--r--
$ setfacl -m u:42:r,g:43:w fff
$ getfacl fff
> # file: fff
> # owner: root
> # group: wheel
> user::rw-
> user:42:r--
> group::r--
> group:43:-w-
> mask::rw-
> other::r--
$ ls -l fff | cut -d' ' -f1
> prw-rw-r--+
$ setfacl -bn fff
$ getfacl fff
> # file: fff
> # owner: root
> # group: wheel
> user::rw-
> group::r--
> other::r--
$ ls -l fff | cut -d' ' -f1
> prw-r--r--
$ rm fff
# Test if we deal properly with device files.
$ mknod bbb b 1 1
$ setfacl -m u:42:r,g:43:w bbb
> setfacl: bbb: acl_get_file() failed: Operation not supported
$ ls -l bbb | cut -d' ' -f1
> brw-r--r--
$ rm bbb
$ mknod ccc c 1 1
$ setfacl -m u:42:r,g:43:w ccc
> setfacl: ccc: acl_get_file() failed: Operation not supported
$ ls -l ccc | cut -d' ' -f1
> crw-r--r--
$ rm ccc