Skip to content

Commit

Permalink
Merge pull request #2359 from elBoberido/iox-1176-make-acl-support-op…
Browse files Browse the repository at this point in the history
…tional

iox-#1176 Make ACL support optional
  • Loading branch information
elBoberido authored Oct 15, 2024
2 parents 89d73e0 + 4356597 commit f88bc9c
Show file tree
Hide file tree
Showing 50 changed files with 521 additions and 478 deletions.
8 changes: 8 additions & 0 deletions .bazelrc
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,11 @@ build:tsan --linkopt="-fsanitize=thread"

# tsan clang
build:clang_tsan --config=clang --config=tsan

#
# feature flags
#

# value [auto, on, off]
# 'auto' is platform dependent ('on' on Linux and QNX, 'off' on other OS) and the default value if the flag is not set
#build --//:feature_acl=off
20 changes: 10 additions & 10 deletions .cirrus.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ ubuntu_22_04_aarch64_build_task:
test_binaries_cache:
folder: iox-tests-bin
reupload_on_changes: true
fingerprint_key: $CIRRUS_OS_ubuntu_22_04_aarch64_test_binaries_cache_$CIRRUS_BRANCH
fingerprint_key: $CIRRUS_OS_ubuntu_22_04_aarch64_test_binaries_cache_${CIRRUS_BUILD_ID}
build_script:
<<: *IOX_POSIX_CLEAN_BUILD_STRICT_WITH_ADDITIONAL_USER
populate_test_binary_folder_script:
Expand All @@ -141,7 +141,7 @@ ubuntu_22_04_aarch64_test_task:
test_binaries_cache:
folder: iox-tests-bin
reupload_on_changes: false
fingerprint_key: $CIRRUS_OS_ubuntu_22_04_aarch64_test_binaries_cache_$CIRRUS_BRANCH
fingerprint_key: $CIRRUS_OS_ubuntu_22_04_aarch64_test_binaries_cache_${CIRRUS_BUILD_ID}
test_script:
<<: *IOX_RUN_TESTS

Expand All @@ -158,7 +158,7 @@ arch_linux_x64_gcc_8_3_aka_qnx_canary_build_task:
test_binaries_cache:
folder: iox-tests-bin
reupload_on_changes: true
fingerprint_key: $CIRRUS_OS_archlinux_x64_gcc_8_3_aka_qnx_canary_test_binaries_cache_$CIRRUS_BRANCH
fingerprint_key: $CIRRUS_OS_archlinux_x64_gcc_8_3_aka_qnx_canary_test_binaries_cache_${CIRRUS_BUILD_ID}
env:
# use GCC 8.3 which corresponds to QCC 8.3 on QNX 7.1
CC: gcc-8
Expand All @@ -177,7 +177,7 @@ arch_linux_x64_gcc_8_3_aka_qnx_canary_test_task:
test_binaries_cache:
folder: iox-tests-bin
reupload_on_changes: false
fingerprint_key: $CIRRUS_OS_archlinux_x64_gcc_8_3_aka_qnx_canary_test_binaries_cache_$CIRRUS_BRANCH
fingerprint_key: $CIRRUS_OS_archlinux_x64_gcc_8_3_aka_qnx_canary_test_binaries_cache_${CIRRUS_BUILD_ID}
test_script:
<<: *IOX_RUN_TESTS

Expand All @@ -195,7 +195,7 @@ arch_linux_x64_build_task:
test_binaries_cache:
folder: iox-tests-bin
reupload_on_changes: true
fingerprint_key: $CIRRUS_OS_archlinux_x64_test_binaries_cache_$CIRRUS_BRANCH
fingerprint_key: $CIRRUS_OS_archlinux_x64_test_binaries_cache_${CIRRUS_BUILD_ID}
build_script:
<<: *IOX_POSIX_CLEAN_BUILD_STRICT_WITH_ADDITIONAL_USER
populate_test_binary_folder_script:
Expand All @@ -211,7 +211,7 @@ arch_linux_x64_test_task:
test_binaries_cache:
folder: iox-tests-bin
reupload_on_changes: false
fingerprint_key: $CIRRUS_OS_archlinux_x64_test_binaries_cache_$CIRRUS_BRANCH
fingerprint_key: $CIRRUS_OS_archlinux_x64_test_binaries_cache_${CIRRUS_BUILD_ID}
test_script:
<<: *IOX_RUN_TESTS

Expand All @@ -229,7 +229,7 @@ freebsd_x64_build_task:
test_binaries_cache:
folder: iox-tests-bin
reupload_on_changes: true
fingerprint_key: $CIRRUS_OS_freebsd_x64_test_binaries_cache_$CIRRUS_BRANCH
fingerprint_key: $CIRRUS_OS_freebsd_x64_test_binaries_cache_${CIRRUS_BUILD_ID}
setup_script:
- pkg install -y cmake git ncurses bash wget
- ln -s /usr/local/bin/bash /bin/bash
Expand All @@ -248,7 +248,7 @@ freebsd_x64_test_task:
test_binaries_cache:
folder: iox-tests-bin
reupload_on_changes: false
fingerprint_key: $CIRRUS_OS_freebsd_x64_test_binaries_cache_$CIRRUS_BRANCH
fingerprint_key: $CIRRUS_OS_freebsd_x64_test_binaries_cache_${CIRRUS_BUILD_ID}
test_script:
<<: *IOX_RUN_TESTS

Expand All @@ -266,7 +266,7 @@ macos_aarch64_build_task:
test_binaries_cache:
folder: iox-tests-bin
reupload_on_changes: true
fingerprint_key: $CIRRUS_OS_macOS_aarch64_test_binaries_cache_$CIRRUS_BRANCH
fingerprint_key: $CIRRUS_OS_macOS_aarch64_test_binaries_cache_${CIRRUS_BUILD_ID}
setup_script:
- brew install ncurses
build_script:
Expand All @@ -284,7 +284,7 @@ macos_aarch64_test_task:
test_binaries_cache:
folder: iox-tests-bin
reupload_on_changes: false
fingerprint_key: $CIRRUS_OS_macOS_aarch64_test_binaries_cache_$CIRRUS_BRANCH
fingerprint_key: $CIRRUS_OS_macOS_aarch64_test_binaries_cache_${CIRRUS_BUILD_ID}
env:
# No timing tests on macOS
GTEST_FILTER: "-*TimingTest*"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/build-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ jobs:
run-integration-test:
# prevent stuck jobs consuming runners for 6 hours
timeout-minutes: 60
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
needs: pre-flight-check
steps:
- name: Setup ROS
Expand Down Expand Up @@ -219,7 +219,7 @@ jobs:
coverage-and-docs:
# prevent stuck jobs consuming runners for 6 hours
timeout-minutes: 60
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
needs: pre-flight-check
steps:
- uses: actions/checkout@v4
Expand Down
1 change: 1 addition & 0 deletions .lycheeignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
https://github.com/eclipse-iceoryx/iceoryx/compare/vx.x.x...vx.x.x
https://github.com/eclipse-iceoryx/iceoryx/tree/vx.x.x
https://www.misra.org.uk/
https://www.gnu.org/software/screen/

[email protected]
8 changes: 8 additions & 0 deletions BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,20 @@
#
# SPDX-License-Identifier: Apache-2.0

load("@bazel_skylib//rules:common_settings.bzl", "string_flag")
load("@buildifier_prebuilt//:rules.bzl", "buildifier")

exports_files(["LICENSE"])

exports_files(["VERSION"])

# values: auto, on, off
string_flag(
name = "feature_acl",
build_setting_default = "auto",
visibility = ["//visibility:public"],
)

alias(
name = "iceoryx_hoofs",
actual = "//iceoryx_hoofs",
Expand Down
1 change: 1 addition & 0 deletions MODULE.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ module(
version = "2.95.0",
)

bazel_dep(name = "bazel_skylib", version = "1.7.1")
bazel_dep(name = "cpptoml", version = "0.1.1")
bazel_dep(name = "platforms", version = "0.0.10")
bazel_dep(name = "rules_cc", version = "0.0.9")
Expand Down
6 changes: 4 additions & 2 deletions bazel/configure_file.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,13 @@ The configure_file rule imitates the similar CMake function for template expansi
"""

def _configure_file_impl(ctx):
config_all = dict(ctx.attr.config_constants, **ctx.attr.config_acl)
ctx.actions.expand_template(
template = ctx.file.src,
output = ctx.outputs.out,
substitutions = {
"@" + k + "@": v
for k, v in ctx.attr.config.items()
for k, v in config_all.items()
},
)
files = depset(direct = [ctx.outputs.out])
Expand All @@ -35,7 +36,8 @@ configure_file = rule(
implementation = _configure_file_impl,
provides = [DefaultInfo],
attrs = {
"config": attr.string_dict(mandatory = True),
"config_acl": attr.string_dict(mandatory = False),
"config_constants": attr.string_dict(mandatory = True),
"out": attr.output(mandatory = True),
"src": attr.label(mandatory = True, allow_single_file = True),
},
Expand Down
40 changes: 40 additions & 0 deletions doc/website/advanced/configuration-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,46 @@ With that change, the footprint of the management segment is reduced to ~52.7 MB
For larger use cases you can increase the value to avoid that samples are dropped
on the subscriber side (see also [#615](https://github.com/eclipse-iceoryx/iceoryx/issues/615)).

## ACL Feature Flag

The ACL (Access Control List) feature is enabled by default on Linux and QNX platforms.
If you want to disable this feature, you can control it through a build option.

### Using CMake

To disable the ACL feature in a CMake build, pass the following flag when configuring the project:

```
-DIOX_PLATFORM_FEATURE_ACL=OFF
```

### Using Bazel

To disable the ACL feature in a Bazel build, use the following flag:
```
--//:feature_acl=off
```

For example:
```
bazel build --//:feature_acl=off //...
```

Alternatively, you can persist this setting in a `.bazelrc` file to apply it automatically in all builds:
```
build --//:feature_acl=off
```

This way, the ACL feature is disabled across builds without needing to pass the flag manually each time.

> [!NOTE]
> When using this flag in an external repository, you must prefix it with the repository's target name. For example:
> ```
> --@iceoryx//:feature_acl=off
> ```
>
> This ensures that the flag is applied to the correct target from the imported repository.
## Configuring Mempools for RouDi
RouDi supports several shared memory segments with different access rights, to
Expand Down
1 change: 1 addition & 0 deletions doc/website/release-notes/iceoryx-unreleased.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@
- Improve introspection-client interface by adding the number of ports in parentheses [#2299](https://github.com/eclipse-iceoryx/iceoryx/issues/2299)
- Add std::atomic abstraction [#2329](https://github.com/eclipse-iceoryx/iceoryx/issues/2329)
- Port iceoryx to bzlmod [#2325](https://github.com/eclipse-iceoryx/iceoryx/issues/2325)
- Make ACL support optional [#1176](https://github.com/eclipse-iceoryx/iceoryx/issues/1176)

**Bugfixes:**

Expand Down
7 changes: 3 additions & 4 deletions iceoryx_hoofs/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ configure_file(
name = "iceoryx_hoofs_deployment_hpp",
src = "cmake/iceoryx_hoofs_deployment.hpp.in",
out = "generated/include/iox/iceoryx_hoofs_deployment.hpp",
config = {
config_constants = {
"IOX_MAX_NAMED_PIPE_MESSAGE_SIZE": "4096",
"IOX_MAX_NAMED_PIPE_NUMBER_OF_MESSAGES": "10",
# FIXME: for values see "iceoryx_hoofs/cmake/IceoryxHoofsDeployment.cmake" ... for now some nice defaults
Expand Down Expand Up @@ -84,14 +84,13 @@ cc_library(
linkopts = select({
"//iceoryx_platform:linux-clang": [
"-latomic",
"-lacl",
],
"//iceoryx_platform:linux-gcc": ["-lacl"],
"//iceoryx_platform:linux-gcc": [],
"//iceoryx_platform:mac": [],
"//iceoryx_platform:qnx": [],
"//iceoryx_platform:unix": [],
"//iceoryx_platform:win": [],
"//conditions:default": ["-lacl"],
"//conditions:default": [],
}),
visibility = ["//visibility:public"],
deps = ["//iceoryx_platform"],
Expand Down
2 changes: 1 addition & 1 deletion iceoryx_hoofs/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ iox_add_library(
NAMESPACE iceoryx_hoofs
PROJECT_PREFIX ${PREFIX}
PUBLIC_LIBS iceoryx_platform::iceoryx_platform
PRIVATE_LIBS_LINUX acl atomic ${CODE_COVERAGE_LIBS}
PRIVATE_LIBS_LINUX atomic ${CODE_COVERAGE_LIBS}
BUILD_INTERFACE ${PROJECT_SOURCE_DIR}/buffer/include
${PROJECT_SOURCE_DIR}/cli/include
${PROJECT_SOURCE_DIR}/concurrent/buffer/include
Expand Down
2 changes: 0 additions & 2 deletions iceoryx_hoofs/cmake/IceoryxHoofsDeployment.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,4 @@ configure_option(
DEFAULT_VALUE 10
)

message(STATUS "[i] IOX_EXPERIMENTAL_POSH_FLAG: ${IOX_EXPERIMENTAL_POSH_FLAG}")

message(STATUS "[i] <<<<<<<<<<<<<< End iceoryx_hoofs configuration: >>>>>>>>>>>>>>")
21 changes: 11 additions & 10 deletions iceoryx_hoofs/posix/filesystem/source/posix_acl.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ bool PosixAcl::writePermissionsToFile(const int32_t fileDescriptor) const noexce
}

// check if acl is valid
auto aclCheckCall = IOX_POSIX_CALL(acl_valid)(workingACL.get()).successReturnValue(0).evaluate();
auto aclCheckCall = IOX_POSIX_CALL(iox_acl_valid)(workingACL.get()).successReturnValue(0).evaluate();

if (aclCheckCall.has_error())
{
Expand All @@ -73,7 +73,8 @@ bool PosixAcl::writePermissionsToFile(const int32_t fileDescriptor) const noexce
}

// set acl in the file given by descriptor
auto aclSetFdCall = IOX_POSIX_CALL(acl_set_fd)(fileDescriptor, workingACL.get()).successReturnValue(0).evaluate();
auto aclSetFdCall =
IOX_POSIX_CALL(iox_acl_set_fd)(fileDescriptor, workingACL.get()).successReturnValue(0).evaluate();
if (aclSetFdCall.has_error())
{
IOX_LOG(ERROR, "Error: Could not set file ACL.");
Expand All @@ -86,7 +87,7 @@ bool PosixAcl::writePermissionsToFile(const int32_t fileDescriptor) const noexce
expected<PosixAcl::smartAclPointer_t, PosixAcl::Error> PosixAcl::createACL(const int32_t numEntries) noexcept
{
// allocate memory for a new ACL
auto aclInitCall = IOX_POSIX_CALL(acl_init)(numEntries).failureReturnValue(nullptr).evaluate();
auto aclInitCall = IOX_POSIX_CALL(iox_acl_init)(numEntries).failureReturnValue(nullptr).evaluate();

if (aclInitCall.has_error())
{
Expand All @@ -95,7 +96,7 @@ expected<PosixAcl::smartAclPointer_t, PosixAcl::Error> PosixAcl::createACL(const

// define how to free the memory (custom deleter for the smart pointer)
function<void(acl_t)> freeACL = [&](acl_t acl) {
auto aclFreeCall = IOX_POSIX_CALL(acl_free)(acl).successReturnValue(0).evaluate();
auto aclFreeCall = IOX_POSIX_CALL(iox_acl_free)(acl).successReturnValue(0).evaluate();
// We ensure here instead of returning as this lambda will be called by unique_ptr
IOX_ENFORCE(!aclFreeCall.has_error(), "Could not free ACL memory");
};
Expand Down Expand Up @@ -186,7 +187,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe
acl_entry_t newEntry{};
acl_t l_ACL{ACL};

auto aclCreateEntryCall = IOX_POSIX_CALL(acl_create_entry)(&l_ACL, &newEntry).successReturnValue(0).evaluate();
auto aclCreateEntryCall = IOX_POSIX_CALL(iox_acl_create_entry)(&l_ACL, &newEntry).successReturnValue(0).evaluate();

if (aclCreateEntryCall.has_error())
{
Expand All @@ -196,7 +197,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe

// set tag type for new entry (user, group, ...)
auto tagType = static_cast<acl_tag_t>(entry.m_category);
auto aclSetTagTypeCall = IOX_POSIX_CALL(acl_set_tag_type)(newEntry, tagType).successReturnValue(0).evaluate();
auto aclSetTagTypeCall = IOX_POSIX_CALL(iox_acl_set_tag_type)(newEntry, tagType).successReturnValue(0).evaluate();

if (aclSetTagTypeCall.has_error())
{
Expand All @@ -210,7 +211,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe
case ACL_USER:
{
auto aclSetQualifierCall =
IOX_POSIX_CALL(acl_set_qualifier)(newEntry, &(entry.m_id)).successReturnValue(0).evaluate();
IOX_POSIX_CALL(iox_acl_set_qualifier)(newEntry, &(entry.m_id)).successReturnValue(0).evaluate();

if (aclSetQualifierCall.has_error())
{
Expand All @@ -223,7 +224,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe
case ACL_GROUP:
{
auto aclSetQualifierCall =
IOX_POSIX_CALL(acl_set_qualifier)(newEntry, &(entry.m_id)).successReturnValue(0).evaluate();
IOX_POSIX_CALL(iox_acl_set_qualifier)(newEntry, &(entry.m_id)).successReturnValue(0).evaluate();

if (aclSetQualifierCall.has_error())
{
Expand All @@ -241,7 +242,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe
acl_permset_t entryPermissionSet{};

auto aclGetPermsetCall =
IOX_POSIX_CALL(acl_get_permset)(newEntry, &entryPermissionSet).successReturnValue(0).evaluate();
IOX_POSIX_CALL(iox_acl_get_permset)(newEntry, &entryPermissionSet).successReturnValue(0).evaluate();

if (aclGetPermsetCall.has_error())
{
Expand Down Expand Up @@ -280,7 +281,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe

bool PosixAcl::addAclPermission(acl_permset_t permset, acl_perm_t perm) noexcept
{
auto aclAddPermCall = IOX_POSIX_CALL(acl_add_perm)(permset, perm).successReturnValue(0).evaluate();
auto aclAddPermCall = IOX_POSIX_CALL(iox_acl_add_perm)(permset, perm).successReturnValue(0).evaluate();

if (aclAddPermCall.has_error())
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,12 @@
//
// SPDX-License-Identifier: Apache-2.0

#if defined(__linux__)
#include "iox/detail/posix_acl.hpp"

#if IOX_FEATURE_ACL

#include "iceoryx_platform/pwd.hpp"
#include "iceoryx_platform/stat.hpp"
#include "iox/detail/posix_acl.hpp"
#include "iox/posix_call.hpp"
#include "test.hpp"

Expand Down Expand Up @@ -300,4 +302,5 @@ TEST_F(PosixAcl_test, addStrangeNames)
EXPECT_FALSE(entryAdded);
}
} // namespace
#endif

#endif // IOX_FEATURE_ACL
Loading

0 comments on commit f88bc9c

Please sign in to comment.