From ccd65b9a61463bdd14a6961ff237c4139f0cf32e Mon Sep 17 00:00:00 2001
From: Auke Kok <auke.kok@versity.com>
Date: Fri, 9 Aug 2024 17:57:23 -0400
Subject: [PATCH 1/2] Fix POSIX ACL use in el8+.

In 29160b0b I mistakenly disabled all caching of ACLs for el8
instead of only disabling cache lookups. The correct change
should have been to disable cache lookups only, and leave setting the
acl cache after storing or fetching, as the kernel needs this data
to resolve acls when doing permission checks.

Restore the acl cache insertions fixes.

Signed-off-by: Auke Kok <auke.kok@versity.com>
---
 kmod/src/acl.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/kmod/src/acl.c b/kmod/src/acl.c
index bfe81bc5..86d398ab 100644
--- a/kmod/src/acl.c
+++ b/kmod/src/acl.c
@@ -98,11 +98,9 @@ struct posix_acl *scoutfs_get_acl_locked(struct inode *inode, int type, struct s
 		acl = ERR_PTR(ret);
 	}
 
-#ifndef KC___POSIX_ACL_CREATE
 	/* can set null negative cache */
 	if (!IS_ERR(acl))
 		set_cached_acl(inode, type, acl);
-#endif
 
 	kfree(value);
 
@@ -194,10 +192,8 @@ int scoutfs_set_acl_locked(struct inode *inode, struct posix_acl *acl, int type,
 	}
 
 out:
-#ifndef KC___POSIX_ACL_CREATE
 	if (!ret)
 		set_cached_acl(inode, type, acl);
-#endif
 
 	kfree(value);
 

From 7b039a1d18c0ca62ae1046b8d0c757cec0eba2b7 Mon Sep 17 00:00:00 2001
From: Auke Kok <auke.kok@versity.com>
Date: Fri, 9 Aug 2024 17:59:39 -0400
Subject: [PATCH 2/2] Add basic POSIX ACL tests.

These are extremely limited and very quick basic ACL tests we can
trivially do in under a second - purely basic funtionality tests only.

Signed-off-by: Auke Kok <auke.kok@versity.com>
---
 tests/golden/basic-posix-acl   | 157 +++++++++++++++++++++++++++++++++
 tests/sequence                 |   1 +
 tests/tests/basic-posix-acl.sh | 110 +++++++++++++++++++++++
 3 files changed, 268 insertions(+)
 create mode 100644 tests/golden/basic-posix-acl
 create mode 100644 tests/tests/basic-posix-acl.sh

diff --git a/tests/golden/basic-posix-acl b/tests/golden/basic-posix-acl
new file mode 100644
index 00000000..b0415759
--- /dev/null
+++ b/tests/golden/basic-posix-acl
@@ -0,0 +1,157 @@
+== setup test directory
+== getfacl
+directory drwxr-xr-x 0 0 0 '.'
+# file: .
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+== basic non-acl access through permissions
+directory drwxr-xr-x 0 44444 0 'dir-testuid'
+touch: cannot touch 'dir-testuid/file-group-write': Permission denied
+touch: cannot touch 'symlinkdir-testuid/symlink-file-group-write': Permission denied
+regular empty file -rw-r--r-- 22222 44444 0 'dir-testuid/file-group-write'
+regular empty file -rw-r--r-- 22222 44444 0 'symlinkdir-testuid/symlink-file-group-write'
+== basic acl access
+directory drwxr-xr-x 0 0 0 'dir-root'
+touch: cannot touch 'dir-root/file-group-write': Permission denied
+touch: cannot touch 'symlinkdir-root/file-group-write': Permission denied
+# file: dir-root
+# owner: root
+# group: root
+user::rwx
+user:22222:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+regular empty file -rw-r--r-- 22222 0 0 'dir-root/file-group-write'
+regular empty file -rw-r--r-- 22222 0 0 'symlinkdir-root/file-group-write'
+== directory exec
+Success
+Success
+# file: dir-root
+# owner: root
+# group: root
+user::rwx
+user:22222:rw-
+group::r-x
+mask::rwx
+other::r-x
+
+bash: line 0: cd: dir-root: Permission denied
+Failed
+bash: line 0: cd: symlinkdir-root: Permission denied
+Failed
+# file: dir-root
+# owner: root
+# group: root
+user::rwx
+user:22222:rw-
+group::r-x
+group:44444:rwx
+mask::rwx
+other::r-x
+
+Success
+Success
+== get/set attr
+regular empty file -rw-r--r-- 0 0 0 'file-root'
+setfattr: file-root: Permission denied
+# file: file-root
+# owner: root
+# group: root
+user::rw-
+user:22222:rw-
+group::r--
+mask::rw-
+other::r--
+
+# file: file-root
+user.test2="Success"
+
+# file: file-root
+# owner: root
+# group: root
+user::rw-
+group::r--
+mask::r--
+other::r--
+
+setfattr: file-root: Permission denied
+# file: file-root
+user.test2="Success"
+
+# file: file-root
+# owner: root
+# group: root
+user::rw-
+group::r--
+group:44444:rw-
+mask::rw-
+other::r--
+
+# file: file-root
+user.test2="Success"
+user.test4="Success"
+
+== inheritance / default acl
+directory drwxr-xr-x 0 0 0 'dir-root2'
+mkdir: cannot create directory 'dir-root2/dir': Permission denied
+touch: cannot touch 'dir-root2/dir/file': No such file or directory
+# file: dir-root2
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+default:user::rwx
+default:user:22222:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+mkdir: cannot create directory 'dir-root2/dir': Permission denied
+touch: cannot touch 'dir-root2/dir/file': No such file or directory
+# file: dir-root2
+# owner: root
+# group: root
+user::rwx
+user:22222:rwx
+group::r-x
+mask::rwx
+other::r-x
+default:user::rwx
+default:user:22222:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+directory drwxrwxr-x 22222 0 4 'dir-root2/dir'
+# file: dir-root2/dir
+# owner: 22222
+# group: root
+user::rwx
+user:22222:rwx
+group::r-x
+mask::rwx
+other::r-x
+default:user::rwx
+default:user:22222:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+regular empty file -rw-rw-r-- 22222 0 0 'dir-root2/dir/file'
+# file: dir-root2/dir/file
+# owner: 22222
+# group: root
+user::rw-
+user:22222:rwx	#effective:rw-
+group::r-x	#effective:r--
+mask::rw-
+other::r--
+
+== cleanup
diff --git a/tests/sequence b/tests/sequence
index 1d099b85..16e0e465 100644
--- a/tests/sequence
+++ b/tests/sequence
@@ -1,6 +1,7 @@
 export-get-name-parent.sh
 basic-block-counts.sh
 basic-bad-mounts.sh
+basic-posix-acl.sh
 inode-items-updated.sh
 simple-inode-index.sh
 simple-staging.sh
diff --git a/tests/tests/basic-posix-acl.sh b/tests/tests/basic-posix-acl.sh
new file mode 100644
index 00000000..6b1e2064
--- /dev/null
+++ b/tests/tests/basic-posix-acl.sh
@@ -0,0 +1,110 @@
+
+#
+# test basic POSIX acl functionality.
+#
+
+t_require_commands stat rm touch mkdir getfacl setfacl id sudo
+t_require_mounts 2
+
+# from quota.sh
+TEST_UID=22222
+TEST_GID=44444
+
+# sys_setreuid() set fs[uid] to e[ug]id
+SET_UID="--ruid=$TEST_UID --euid=$TEST_UID"
+SET_GID="--rgid=$TEST_GID --egid=$TEST_GID --clear-groups"
+
+# helper to avoid capturing dates from ls output
+L() {
+	stat -c "%F %A %u %g %s %N" $@
+}
+
+echo "== setup test directory"
+cd "$T_D0"
+
+echo "== getfacl"
+L .
+getfacl .
+
+echo "== basic non-acl access through permissions"
+rm -rf dir-testuid
+mkdir dir-testuid
+ln -sf dir-testuid symlinkdir-testuid
+chown root:44444 dir-testuid
+L dir-testuid
+setpriv $SET_UID $SET_GID touch dir-testuid/file-group-write
+setpriv $SET_UID $SET_GID touch symlinkdir-testuid/symlink-file-group-write
+chmod g+w dir-testuid
+setpriv $SET_UID $SET_GID touch dir-testuid/file-group-write
+setpriv $SET_UID $SET_GID touch symlinkdir-testuid/symlink-file-group-write
+L dir-testuid/file-group-write
+L symlinkdir-testuid/symlink-file-group-write
+
+echo "== basic acl access"
+rm -rf dir-root
+mkdir dir-root
+ln -sf dir-root symlinkdir-root
+L dir-root
+setpriv $SET_UID touch dir-root/file-group-write
+setpriv $SET_UID touch symlinkdir-root/file-group-write
+setfacl -m u:22222:rwx dir-root
+getfacl dir-root
+setpriv $SET_UID touch dir-root/file-group-write
+setpriv $SET_UID touch symlinkdir-root/file-group-write
+L dir-root/file-group-write
+L symlinkdir-root/file-group-write
+
+echo "== directory exec"
+setpriv $SET_UID bash -c "cd dir-root && echo Success"
+setpriv $SET_UID bash -c "cd symlinkdir-root && echo Success"
+setfacl -m u:22222:rw dir-root
+getfacl dir-root
+setpriv $SET_UID bash -c "cd dir-root || echo Failed"
+setpriv $SET_UID bash -c "cd symlinkdir-root || echo Failed"
+setfacl -m g:44444:rwx dir-root
+getfacl dir-root
+setpriv $SET_GID bash -c "cd dir-root && echo Success"
+setpriv $SET_GID bash -c "cd symlinkdir-root && echo Success"
+
+echo "== get/set attr"
+rm -rf file-root
+touch file-root
+L file-root
+setpriv $SET_UID getfattr -d file-root
+setpriv $SET_UID setfattr -n "user.test1" -v "Success" file-root
+setpriv $SET_UID getfattr -d file-root
+setfacl -m u:22222:rw file-root
+getfacl file-root
+setpriv $SET_UID setfattr -n "user.test2" -v "Success" file-root
+setpriv $SET_UID getfattr -d file-root
+setfacl -x u:22222 file-root
+getfacl file-root
+setpriv $SET_UID setfattr -n "user.test3" -v "Success" file-root
+setpriv $SET_UID getfattr -d file-root
+setfacl -m g:44444:rw file-root
+getfacl file-root
+setpriv $SET_GID setfattr -n "user.test4" -v "Success" file-root
+setpriv $SET_GID getfattr -d file-root
+
+echo "== inheritance / default acl"
+rm -rf dir-root2
+mkdir dir-root2
+L dir-root2
+setpriv $SET_UID mkdir dir-root2/dir
+setpriv $SET_UID touch dir-root2/dir/file
+setfacl -m d:u:22222:rwx dir-root2
+getfacl dir-root2
+setpriv $SET_UID mkdir dir-root2/dir
+setpriv $SET_UID touch dir-root2/dir/file
+setfacl -m u:22222:rwx dir-root2
+getfacl dir-root2
+setpriv $SET_UID mkdir dir-root2/dir
+setpriv $SET_UID touch dir-root2/dir/file
+L dir-root2/dir
+getfacl dir-root2/dir
+L dir-root2/dir/file
+getfacl dir-root2/dir/file
+
+echo "== cleanup"
+
+t_pass