Re: ACL in NetBSD?

[HRISHIKESH GOYAL <hrishi.goyal%gmail.com@localhost>]

Hello,

While recently I was digging NetBSD's VFS code, got to know that support for ACL is missing in NetBSD. And because of that implementation of ACL in any concrete FS is not possible. As ACL offers greater flexibility by allowing objects owners to specify rights for additional users and groups, it is one of the important discretionary access control security concern. So I would like to work for adding POSIX ACL in NetBSD. There has been a short offline discussion with Christos on this, which is added here.

On Sun, Jul 16, 2017 at 8:51 PM, Christos Zoulas <christos%zoulas.com@localhost> wrote:

On Jul 16,  8:27pm, hrishi.goyal%gmail.com@localhost (HRISHIKESH GOYAL) wrote:
-- Subject: Re: ACL in NetBSD?

| > 1. how to encode the ACL's in the attributes?
| >
|
| <<< We are gonna add an interface for ACL in VFS which is gonna be
| separated from EXT ATTRs interface. By doing that way we are gonna follow
| POSIX.1e standards and provides a generic way to implement ACL(for those
| FS, UFS1 for example which implements ACL not as EXT ATTRs). And those
| filesystems( like EXT2FS, etc.) which implement ACL as extended attributes,
| would still be able to implement ACL as EXT ATTRs by mapping ACL to EXT
| ATTRs in their FS specific code.
|
|
|
| > 2. accommodate capabilities in them like linux has?
| >
| <<< AFAIK, linux implements ACL as EXT ATTRs in VFS and to give POSIX
| compatibility, probably they have provided ACL specific syscalls as the
| wrapper over EXT ATTRS syscalls. As if we implement ACLs as a separate
| interface it would already be POSIX compatible.
|
|
| > 3. what will the system calls look like?
| >
|
| <<< They would exactly look like as POSIX1e ACL syscalls (see here
| <https://www.freebsd.org/cgi/man.cgi?query=acl&sektion=3&apropos=0&manpath=FreeBSD+11.0-RELEASE+and+Ports>
| )

Sounds good. Why don't you post something in tech-kern?

christos

Thanks & regards,

Hrishikesh