From 26d98cdd78cb5283f5771bd5866997acc494b067 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Sat, 17 Dec 2022 00:44:06 +0800
Subject: tmpfiles: add conditionalized execute bit (X) support

According to setfacl(1), "the character X stands for
the execute permission if the file is a directory
or already has execute permission for some user."

After this commit, parse_acl() would return 3 acl
objects. The newly-added acl_exec object contains
entries that are subject to conditionalized execute
bit mangling. In tmpfiles, we would iterate the acl_exec
object, check the permission of the target files,
and remove the execute bit if necessary.

Here's an example entry:
A /tmp/test - - - - u:test:rwX

Closes #25114
---
 man/tmpfiles.d.xml | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

(limited to 'man')

diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml
index a23b9c8946..54f3c501cb 100644
--- a/man/tmpfiles.d.xml
+++ b/man/tmpfiles.d.xml
@@ -446,13 +446,15 @@ L     /tmp/foobar -    -    -     -   /dev/null</programlisting>
           <term><varname>a+</varname></term>
           <listitem><para>Set POSIX ACLs (access control lists), see <citerefentry
           project='man-pages'><refentrytitle>acl</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>. If suffixed with <varname>+</varname>, the specified
-          entries will be added to the existing set. <command>systemd-tmpfiles</command> will automatically
-          add the required base entries for user and group based on the access mode of the file, unless base
-          entries already exist or are explicitly specified. The mask will be added if not specified
-          explicitly or already present. Lines of this type accept shell-style globs in place of normal path
-          names. This can be useful for allowing additional access to certain files. Does not follow
-          symlinks.</para></listitem>
+          <manvolnum>5</manvolnum></citerefentry>. Additionally, if 'X' is used, the execute bit is set only
+          if the file is a directory or already has execute permission for some user, as mentioned in
+          <citerefentry project='man-pages'><refentrytitle>setfacl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+          If suffixed with <varname>+</varname>, the specified entries will be added to the existing set.
+          <command>systemd-tmpfiles</command> will automatically add the required base entries for user
+          and group based on the access mode of the file, unless base entries already exist or are explicitly
+          specified. The mask will be added if not specified explicitly or already present. Lines of this type
+          accept shell-style globs in place of normal path names. This can be useful for allowing additional
+          access to certain files. Does not follow symlinks.</para></listitem>
         </varlistentry>
 
         <varlistentry>
-- 
cgit v1.2.1