acl attribute can now override immutable bit

larsewi · larsewi · commit 2f16047b6d77 · 2025-05-27T11:10:38.000+02:00
The acl attribute of the files promise can now override the immutable bit. Ticket: ENT-10961, CFE-1840 Changelog: Commit Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
diff --git a/cf-agent/acl_posix.c b/cf-agent/acl_posix.c
@@ -33,6 +33,8 @@
 #include <rlist.h>
 #include <eval_context.h>
 #include <unix.h>               /* GetGroupID(), GetUserID() */
+#include <override_fsattrs.h>
+#include "fsattrs.h"
 
 #ifdef HAVE_ACL_H
 # include <acl.h>
@@ -389,6 +391,11 @@ static bool CheckPosixLinuxACEs(EvalContext *ctx, Rlist *aces, AclMethod method,
                 acl_free(acl_text_str);
                 return false;
             }
+
+            bool was_immutable = false;
+            const bool override_immutable = EvalContextOverrideImmutableGet(ctx);
+            FSAttrsResult res = TemporarilyClearImmutableBit(changes_path, override_immutable, &was_immutable);
+
             if ((retv = acl_set_file(changes_path, acl_type, acl_new)) != 0)
             {
                 RecordFailure(ctx, pp, a,
@@ -406,6 +413,8 @@ static bool CheckPosixLinuxACEs(EvalContext *ctx, Rlist *aces, AclMethod method,
             }
             acl_free(acl_text_str);
 
+            ResetTemporarilyClearedImmutableBit(changes_path, override_immutable, res, was_immutable);
+
             RecordChange(ctx, pp, a, "%s ACL on '%s' successfully changed", acl_type_str, file_path);
             *result = PromiseResultUpdate(*result, PROMISE_RESULT_CHANGE);
         }
