fuse: add `EnableAcl` flag to MountOptions

Enables kernel ACL enforcement. Change-Id: I7fb5f6f8b350ad430da18e0173df942b98da7c02

fuse: add `EnableAcl` flag to MountOptions
Enables kernel ACL enforcement. Change-Id: I7fb5f6f8b350ad430da18e0173df942b98da7c02
62c5aa19 · Jakob Unterwurzacher · 526035bb · 62c5aa19 · 62c5aa19 · 62c5aa19
Commit 62c5aa19 authored Mar 20, 2021 by Jakob Unterwurzacher
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 0 deletions

fuse/api.go fuse/api.go +7 -0

fuse/opcode.go fuse/opcode.go +4 -0

fuse/poll.go fuse/poll.go +3 -0

No files found.
--- a/fuse/api.go
+++ b/fuse/api.go
@@ -173,6 +173,13 @@ type MountOptions struct {
 	// Options passed to syscall.Mount, the default value used by fusermount
 	// is syscall.MS_NOSUID|syscall.MS_NODEV
 	DirectMountFlags uintptr
+
+	// EnableAcls enables kernel ACL support.
+	//
+	// See the comments to FUSE_CAP_POSIX_ACL
+	// in https://github.com/libfuse/libfuse/blob/master/include/fuse_common.h
+	// for details.
+	EnableAcl bool
 }

 // RawFileSystem is an interface close to the FUSE wire protocol.

--- a/fuse/opcode.go
+++ b/fuse/opcode.go
@@ -95,6 +95,10 @@ func doInit(server *Server, req *request) {
 		server.kernelSettings.Flags |= CAP_FLOCK_LOCKS | CAP_POSIX_LOCKS
 	}

+	if server.opts.EnableAcl {
+		server.kernelSettings.Flags |= CAP_POSIX_ACL
+	}
+
 	dataCacheMode := input.Flags & CAP_AUTO_INVAL_DATA
 	if server.opts.ExplicitDataCacheControl {
 		// we don't want CAP_AUTO_INVAL_DATA even if we cannot go into fully explicit mode

--- a/fuse/poll.go
+++ b/fuse/poll.go
@@ -32,6 +32,9 @@ func doPollHackLookup(ms *Server, req *request) {
 		out := (*AttrOut)(req.outData())
 		out.Attr = attr
 		req.status = OK
+	case _OP_GETXATTR:
+		// Kernel will try to read acl xattrs. Pretend we don't have any.
+		req.status = ENODATA
 	case _OP_POLL:
 		req.status = ENOSYS