[PATCH] zfsacl: Fix ACL behavior issues with vfs_zfsacl

[Christof Schmitt]

On Mon, May 27, 2019 at 11:34:17AM +0200, Ralph Boehme wrote:
> Hi Andrew,
> 
> On 5/20/19 1:00 PM, Andrew Walker via samba-technical wrote:
>  > Thanks for the feedback and suggestions. I'll try to get this done this
> > week or next week. You are correct that ZFS has the  NFSv4.1 ACL flags, but
> > FreeBSD does not currently implement NFSv4.1 ACL inheritance. The
> > suggestion of just mapping what we receive over the wire is a good one. I
> > could probably do this for the case of Solaris and Illumos.
> > 
> > One possible alternative is that I could move this logic/lies to libsunacl
> > (the library that maps ZFS ACLs to FreeBSD ACLs) so that there won't be a
> > FreeBSD-specific parameter for vfs_zfsacl. In this case the only thing I
> > would need to add to fix disabling inheritance in samba is mapping the
> > NFSv4.1 ACL flags to control flags like gpfs does.
> > 
> > Let me know if you prefer the second approach.
> 
> Not sure if I like either of both. :)
> 
> Iirc the protected flag only comes to play client side, when Windows
> Explorer performs tree inheritance for new created ACEs. My NT ACL mind
> model is currently swapped out and not fully swapped back in, so I might
> be missing something. Jeremy?
> 
> So basically the only thing you need to implement this in the filesystem
> is storing the flag, no need to attach any semantics to it in the
> filesystem. The chmod command could be updated to honor the flag when
> appyling ACL changes in directory tree mode, not sure if how GPFS
> handles this.
> 
> Christof do you know? I guess chmod on GPFS will ignore the protected flag.

Is that the SEC_DESC_DACL_PROTECTED flag? For GPFS, gets mapped to
the ACL flag and stored in the file system ACL. There is no behavior
attached to that flag.

chmod in vfs_gpfs does not check the PROTECTED flag. We probably could
add additional logic if necessary.

Christof