Martin Pärtel

I think that's correct. We'd have to 1. implement `access` 2. add a call to most operations (e.g. to `open` but not to `read` AIUI) 3. unit test carefully* Looking...

:+1: :+1: Looks like libacl is readily available in distros, and we could even optionally bundle it since both projects are (L)GPL. But we can worry about all that later....

Good find! > my `posix_acl.h` file doesn't actually contain the `posix_acl_permission` declaration The headers in `/usr/include/linux` define the userspace API, but `posix_acl_permission` is an internal function in the kernel i.e....

Good progress! > 1. Do you agree that access and cat (for example) should report the same values? I'm not sure. The `access` man page says there are subtle differences:...

> [setuid/setgid] > By disable I mean that setuid/setgid has no effect. That matches what your test shows. If your `ping` is setuid (weird - mine isn't) then inside the...

:+1: > If the mount is owned by a non-root user, it appears as though `root` can still execute binaries that require setuid to work. I expected it to fail,...

Each operation's man page (`man 2 mkdir` for `bindfs_mkdir` etc) has fairly good documentation about these, especially where they talk about `EACCES`. Even if the first implementation feels uncertain, we...

Your approach looks good :+1: > > I haven't really spent any time looking at your tests yet, so I'll familiarise myself with those and get started on a permuted...

Sorry for the late response. Crazy month. bindfs doesn't currently know anything about selinux. Also, I don't currently know much about selinux, and I'm unfortunately way too busy in the...

Done, I think (somewhat new to C# outside of Unity)