Posix ACL Support

This change adds support for Posix ACLs by storing them as an xattr
which is common practice for many Linux file systems.  Since the
Posix ACL is stored as an xattr it will not overwrite any existing
ZFS/NFSv4 ACLs which may have been set.  The Posix ACL will also
be non-functional on other platforms although it may be visible
as an xattr if that platform understands SA based xattrs.

By default Posix ACLs are disabled but they may be enabled with
the new 'aclmode=noacl|posixacl' property.  Set the property to
'posixacl' to enable them.  If ZFS/NFSv4 ACL support is ever added
an appropriate acltype will be added.

This change passes the POSIX Test Suite cleanly with the exception
of xacl/00.t test 45 which is incorrect for Linux (Ext4 fails too).

  http://www.tuxera.com/community/posix-test-suite/

Signed-off-by: Massimo Maggi <[email protected]>
Signed-off-by: Richard Yao <[email protected]>
Signed-off-by: Brian Behlendorf <[email protected]>
Closes #170

3 files changed, 331 insertions, 0 deletions

diff --git a/config/kernel-acl.m4 b/config/kernel-acl.m4
new file mode 100644
index 000000000..e9a254780
--- /dev/null
+++ b/config/kernel-acl.m4
@@ -0,0 +1,249 @@
+dnl #
+dnl # Check if posix_acl_release can be used from a CDDL module,
+dnl # The is_owner_or_cap macro was replaced by
+dnl # inode_owner_or_capable
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_POSIX_ACL_RELEASE], [
+	AC_MSG_CHECKING([whether posix_acl_release() is available])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/cred.h>
+		#include <linux/fs.h>
+		#include <linux/posix_acl.h>
+	],[
+		struct posix_acl* tmp = posix_acl_alloc(1, 0);
+		posix_acl_release(tmp);
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_POSIX_ACL_RELEASE, 1,
+		    [posix_acl_release() is available])
+	],[
+		AC_MSG_RESULT(no)
+	])
+
+	AC_MSG_CHECKING([whether posix_acl_release() is GPL-only])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/cred.h>
+		#include <linux/fs.h>
+		#include <linux/posix_acl.h>
+
+		MODULE_LICENSE("CDDL");
+	],[
+		struct posix_acl* tmp = posix_acl_alloc(1, 0);
+		posix_acl_release(tmp);
+	],[
+		AC_MSG_RESULT(no)
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_POSIX_ACL_RELEASE_GPL_ONLY, 1,
+		    [posix_acl_release() is GPL-only])
+	])
+])
+
+dnl #
+dnl # 3.1 API change,
+dnl # posix_acl_chmod_masq() is not exported anymore and posix_acl_chmod()
+dnl # was introduced to replace it.
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_POSIX_ACL_CHMOD], [
+	AC_MSG_CHECKING([whether posix_acl_chmod exists])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/fs.h>
+		#include <linux/posix_acl.h>
+	],[
+		posix_acl_chmod(NULL, 0, 0)
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_POSIX_ACL_CHMOD, 1, [posix_acl_chmod() exists])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
+
+dnl #
+dnl # 2.6.30 API change,
+dnl # caching of ACL into the inode was added in this version.
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_POSIX_ACL_CACHING], [
+	AC_MSG_CHECKING([whether inode has i_acl and i_default_acl])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/fs.h>
+	],[
+		struct inode ino;
+		ino.i_acl = NULL;
+		ino.i_default_acl = NULL;
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_POSIX_ACL_CACHING, 1,
+		    [inode contains i_acl and i_default_acl])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
+
+dnl #
+dnl # 3.1 API change,
+dnl # posix_acl_equiv_mode now wants an umode_t* instead of a mode_t*
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_POSIX_ACL_EQUIV_MODE_WANTS_UMODE_T], [
+	AC_MSG_CHECKING([whether posix_acl_equiv_mode() wants umode_t])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/fs.h>
+		#include <linux/posix_acl.h>
+	],[
+		umode_t tmp;
+		posix_acl_equiv_mode(NULL,&tmp);
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_POSIX_ACL_EQUIV_MODE_UMODE_T, 1,
+		    [ posix_acl_equiv_mode wants umode_t*])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
+
+dnl #
+dnl # 2.6.27 API change,
+dnl # Check if inode_operations contains the function permission
+dnl # and expects the nameidata structure to have been removed.
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_INODE_OPERATIONS_PERMISSION], [
+	AC_MSG_CHECKING([whether iops->permission() exists])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/fs.h>
+
+		int permission_fn(struct inode *inode, int mask) { return 0; }
+
+		static const struct inode_operations
+		    iops __attribute__ ((unused)) = {
+			.permission = permission_fn,
+		};
+	],[
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_PERMISSION, 1, [iops->permission() exists])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
+
+dnl #
+dnl # 2.6.26 API change,
+dnl # Check if inode_operations contains the function permission
+dnl # and expects the nameidata structure to be passed.
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_INODE_OPERATIONS_PERMISSION_WITH_NAMEIDATA], [
+	AC_MSG_CHECKING([whether iops->permission() wants nameidata])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/fs.h>
+
+		int permission_fn(struct inode *inode, int mask,
+		    struct nameidata *nd) { return 0; }
+
+		static const struct inode_operations
+		    iops __attribute__ ((unused)) = {
+			.permission = permission_fn,
+		};
+	],[
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_PERMISSION, 1, [iops->permission() exists])
+		AC_DEFINE(HAVE_PERMISSION_WITH_NAMEIDATA, 1,
+		    [iops->permission() with nameidata exists])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
+
+dnl #
+dnl # 2.6.32 API change,
+dnl # Check if inode_operations contains the function check_acl
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_INODE_OPERATIONS_CHECK_ACL], [
+	AC_MSG_CHECKING([whether iops->check_acl() exists])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/fs.h>
+
+		int check_acl_fn(struct inode *inode, int mask) { return 0; }
+
+		static const struct inode_operations
+		    iops __attribute__ ((unused)) = {
+			.check_acl = check_acl_fn,
+		};
+	],[
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_CHECK_ACL, 1, [iops->check_acl() exists])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
+
+dnl #
+dnl # 2.6.38 API change,
+dnl # The function check_acl gained a new parameter: flags
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_INODE_OPERATIONS_CHECK_ACL_WITH_FLAGS], [
+	AC_MSG_CHECKING([whether iops->check_acl() wants flags])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/fs.h>
+
+		int check_acl_fn(struct inode *inode, int mask,
+		    unsigned int flags) { return 0; }
+
+		static const struct inode_operations
+		    iops __attribute__ ((unused)) = {
+			.check_acl = check_acl_fn,
+		};
+	],[
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_CHECK_ACL, 1, [iops->check_acl() exists])
+		AC_DEFINE(HAVE_CHECK_ACL_WITH_FLAGS, 1,
+		    [iops->check_acl() wants flags])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
+
+dnl #
+dnl # 3.1 API change,
+dnl # Check if inode_operations contains the function get_acl
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_INODE_OPERATIONS_GET_ACL], [
+	AC_MSG_CHECKING([whether iops->get_acl() exists])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/fs.h>
+
+		struct posix_acl *get_acl_fn(struct inode *inode, int type)
+		    { return NULL; }
+
+		static const struct inode_operations
+		    iops __attribute__ ((unused)) = {
+			.get_acl = get_acl_fn,
+		};
+	],[
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_GET_ACL, 1, [iops->get_acl() exists])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
+
+dnl #
+dnl # 2.6.30 API change,
+dnl # current_umask exists only since this version.
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_CURRENT_UMASK], [
+	AC_MSG_CHECKING([whether current_umask exists])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/fs.h>
+	],[
+		current_umask();
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_CURRENT_UMASK, 1, [current_umask() exists])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
diff --git a/config/kernel-xattr-handler.m4 b/config/kernel-xattr-handler.m4
index 943f9033c..2ba2fcbcd 100644
--- a/config/kernel-xattr-handler.m4
+++ b/config/kernel-xattr-handler.m4
@@ -84,3 +84,72 @@ AC_DEFUN([ZFS_AC_KERNEL_XATTR_HANDLER_SET], [
 		AC_MSG_RESULT(no)
 	])
 ])
+
+dnl #
+dnl # 2.6.33 API change,
+dnl # The xattr_hander->list() callback was changed to take a dentry
+dnl # instead of an inode, and a handler_flags argument was added.
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_XATTR_HANDLER_LIST], [
+	AC_MSG_CHECKING([whether xattr_handler->list() wants dentry])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/xattr.h>
+
+		size_t list(struct dentry *dentry, char *list, size_t list_size,
+		    const char *name, size_t name_len, int handler_flags)
+		    { return 0; }
+		static const struct xattr_handler
+		    xops __attribute__ ((unused)) = {
+			.list = list,
+		};
+	],[
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_DENTRY_XATTR_LIST, 1,
+		    [xattr_handler->list() wants dentry])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
+
+dnl #
+dnl # 3.7 API change,
+dnl # The posix_acl_{from,to}_xattr functions gained a new
+dnl # parameter: user_ns
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_POSIX_ACL_FROM_XATTR_USERNS], [
+	AC_MSG_CHECKING([whether posix_acl_from_xattr() needs user_ns])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/cred.h>
+		#include <linux/fs.h>
+		#include <linux/posix_acl_xattr.h>
+	],[
+		posix_acl_from_xattr(&init_user_ns, NULL, 0);
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_POSIX_ACL_FROM_XATTR_USERNS, 1,
+		    [posix_acl_from_xattr() needs user_ns])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
+
+dnl #
+dnl # 2.6.39 API change,
+dnl # The is_owner_or_cap() macro was replaced by inode_owner_or_capable(),
+dnl # this is used for permission checks in the xattr call paths.
+dnl #
+AC_DEFUN([ZFS_AC_KERNEL_INODE_OWNER_OR_CAPABLE], [
+	AC_MSG_CHECKING([whether inode_owner_or_capable() exists])
+	ZFS_LINUX_TRY_COMPILE([
+		#include <linux/fs.h>
+	],[
+		inode_owner_or_capable(NULL);
+	],[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_INODE_OWNER_OR_CAPABLE, 1,
+		    [inode_owner_or_capable() exists])
+	],[
+		AC_MSG_RESULT(no)
+	])
+])
diff --git a/config/kernel.m4 b/config/kernel.m4
index 74ce22ce6..cbf0ca3d6 100644
--- a/config/kernel.m4
+++ b/config/kernel.m4
@@ -45,6 +45,19 @@ AC_DEFUN([ZFS_AC_CONFIG_KERNEL], [
 	ZFS_AC_KERNEL_CONST_XATTR_HANDLER
 	ZFS_AC_KERNEL_XATTR_HANDLER_GET
 	ZFS_AC_KERNEL_XATTR_HANDLER_SET
+	ZFS_AC_KERNEL_XATTR_HANDLER_LIST
+	ZFS_AC_KERNEL_INODE_OWNER_OR_CAPABLE
+	ZFS_AC_KERNEL_POSIX_ACL_FROM_XATTR_USERNS
+	ZFS_AC_KERNEL_POSIX_ACL_RELEASE
+	ZFS_AC_KERNEL_POSIX_ACL_CHMOD
+	ZFS_AC_KERNEL_POSIX_ACL_CACHING
+	ZFS_AC_KERNEL_POSIX_ACL_EQUIV_MODE_WANTS_UMODE_T
+	ZFS_AC_KERNEL_INODE_OPERATIONS_PERMISSION
+	ZFS_AC_KERNEL_INODE_OPERATIONS_PERMISSION_WITH_NAMEIDATA
+	ZFS_AC_KERNEL_INODE_OPERATIONS_CHECK_ACL
+	ZFS_AC_KERNEL_INODE_OPERATIONS_CHECK_ACL_WITH_FLAGS
+	ZFS_AC_KERNEL_INODE_OPERATIONS_GET_ACL
+	ZFS_AC_KERNEL_CURRENT_UMASK
 	ZFS_AC_KERNEL_SHOW_OPTIONS
 	ZFS_AC_KERNEL_FSYNC
 	ZFS_AC_KERNEL_EVICT_INODE