iox-#1176 Make ACL support optional

.bazelrc

@@ -37,3 +37,11 @@ build:tsan --linkopt="-fsanitize=thread"
 
 # tsan clang
 build:clang_tsan --config=clang --config=tsan
+
+#
+# feature flags
+#
+
+# value [auto, on, off]
+# 'auto' is platform dependent ('on' on Linux and QNX, 'off' on other OS) and the default value if the flag is not set
+#build --//:feature_acl=off

.cirrus.yaml

@@ -126,7 +126,7 @@ ubuntu_22_04_aarch64_build_task:
   test_binaries_cache:
     folder: iox-tests-bin
     reupload_on_changes: true
-    fingerprint_key: $CIRRUS_OS_ubuntu_22_04_aarch64_test_binaries_cache_$CIRRUS_BRANCH
+    fingerprint_key: $CIRRUS_OS_ubuntu_22_04_aarch64_test_binaries_cache_${CIRRUS_BUILD_ID}
   build_script:
     <<: *IOX_POSIX_CLEAN_BUILD_STRICT_WITH_ADDITIONAL_USER
   populate_test_binary_folder_script:
@@ -141,7 +141,7 @@ ubuntu_22_04_aarch64_test_task:
   test_binaries_cache:
     folder: iox-tests-bin
     reupload_on_changes: false
-    fingerprint_key: $CIRRUS_OS_ubuntu_22_04_aarch64_test_binaries_cache_$CIRRUS_BRANCH
+    fingerprint_key: $CIRRUS_OS_ubuntu_22_04_aarch64_test_binaries_cache_${CIRRUS_BUILD_ID}
   test_script:
     <<: *IOX_RUN_TESTS
 
@@ -158,7 +158,7 @@ arch_linux_x64_gcc_8_3_aka_qnx_canary_build_task:
   test_binaries_cache:
     folder: iox-tests-bin
     reupload_on_changes: true
-    fingerprint_key: $CIRRUS_OS_archlinux_x64_gcc_8_3_aka_qnx_canary_test_binaries_cache_$CIRRUS_BRANCH
+    fingerprint_key: $CIRRUS_OS_archlinux_x64_gcc_8_3_aka_qnx_canary_test_binaries_cache_${CIRRUS_BUILD_ID}
   env:
     # use GCC 8.3 which corresponds to QCC 8.3 on QNX 7.1
     CC: gcc-8
@@ -177,7 +177,7 @@ arch_linux_x64_gcc_8_3_aka_qnx_canary_test_task:
   test_binaries_cache:
     folder: iox-tests-bin
     reupload_on_changes: false
-    fingerprint_key: $CIRRUS_OS_archlinux_x64_gcc_8_3_aka_qnx_canary_test_binaries_cache_$CIRRUS_BRANCH
+    fingerprint_key: $CIRRUS_OS_archlinux_x64_gcc_8_3_aka_qnx_canary_test_binaries_cache_${CIRRUS_BUILD_ID}
   test_script:
     <<: *IOX_RUN_TESTS
 
@@ -195,7 +195,7 @@ arch_linux_x64_build_task:
   test_binaries_cache:
     folder: iox-tests-bin
     reupload_on_changes: true
-    fingerprint_key: $CIRRUS_OS_archlinux_x64_test_binaries_cache_$CIRRUS_BRANCH
+    fingerprint_key: $CIRRUS_OS_archlinux_x64_test_binaries_cache_${CIRRUS_BUILD_ID}
   build_script:
     <<: *IOX_POSIX_CLEAN_BUILD_STRICT_WITH_ADDITIONAL_USER
   populate_test_binary_folder_script:
@@ -211,7 +211,7 @@ arch_linux_x64_test_task:
   test_binaries_cache:
     folder: iox-tests-bin
     reupload_on_changes: false
-    fingerprint_key: $CIRRUS_OS_archlinux_x64_test_binaries_cache_$CIRRUS_BRANCH
+    fingerprint_key: $CIRRUS_OS_archlinux_x64_test_binaries_cache_${CIRRUS_BUILD_ID}
   test_script:
     <<: *IOX_RUN_TESTS
 
@@ -229,7 +229,7 @@ freebsd_x64_build_task:
   test_binaries_cache:
     folder: iox-tests-bin
     reupload_on_changes: true
-    fingerprint_key: $CIRRUS_OS_freebsd_x64_test_binaries_cache_$CIRRUS_BRANCH
+    fingerprint_key: $CIRRUS_OS_freebsd_x64_test_binaries_cache_${CIRRUS_BUILD_ID}
   setup_script:
     - pkg install -y cmake git ncurses bash wget
     - ln -s /usr/local/bin/bash /bin/bash
@@ -248,7 +248,7 @@ freebsd_x64_test_task:
   test_binaries_cache:
     folder: iox-tests-bin
     reupload_on_changes: false
-    fingerprint_key: $CIRRUS_OS_freebsd_x64_test_binaries_cache_$CIRRUS_BRANCH
+    fingerprint_key: $CIRRUS_OS_freebsd_x64_test_binaries_cache_${CIRRUS_BUILD_ID}
   test_script:
     <<: *IOX_RUN_TESTS
 
@@ -266,7 +266,7 @@ macos_aarch64_build_task:
   test_binaries_cache:
     folder: iox-tests-bin
     reupload_on_changes: true
-    fingerprint_key: $CIRRUS_OS_macOS_aarch64_test_binaries_cache_$CIRRUS_BRANCH
+    fingerprint_key: $CIRRUS_OS_macOS_aarch64_test_binaries_cache_${CIRRUS_BUILD_ID}
   setup_script:
     - brew install ncurses
   build_script:
@@ -284,7 +284,7 @@ macos_aarch64_test_task:
   test_binaries_cache:
     folder: iox-tests-bin
     reupload_on_changes: false
-    fingerprint_key: $CIRRUS_OS_macOS_aarch64_test_binaries_cache_$CIRRUS_BRANCH
+    fingerprint_key: $CIRRUS_OS_macOS_aarch64_test_binaries_cache_${CIRRUS_BUILD_ID}
   env:
     # No timing tests on macOS
     GTEST_FILTER: "-*TimingTest*"

.github/workflows/build-test.yml

@@ -119,7 +119,7 @@ jobs:
   run-integration-test:
     # prevent stuck jobs consuming runners for 6 hours
     timeout-minutes: 60
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: pre-flight-check
     steps:
       - name: Setup ROS
@@ -219,7 +219,7 @@ jobs:
   coverage-and-docs:
     # prevent stuck jobs consuming runners for 6 hours
     timeout-minutes: 60
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: pre-flight-check
     steps:
       - uses: actions/checkout@v4

.lycheeignore

@@ -1,5 +1,6 @@
 https://github.com/eclipse-iceoryx/iceoryx/compare/vx.x.x...vx.x.x
 https://github.com/eclipse-iceoryx/iceoryx/tree/vx.x.x
 https://www.misra.org.uk/
+https://www.gnu.org/software/screen/
 
 [email protected]

BUILD.bazel

@@ -14,12 +14,20 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
+load("@bazel_skylib//rules:common_settings.bzl", "string_flag")
 load("@buildifier_prebuilt//:rules.bzl", "buildifier")
 
 exports_files(["LICENSE"])
 
 exports_files(["VERSION"])
 
+# values: auto, on, off
+string_flag(
+    name = "feature_acl",
+    build_setting_default = "auto",
+    visibility = ["//visibility:public"],
+)
+
 alias(
     name = "iceoryx_hoofs",
     actual = "//iceoryx_hoofs",

MODULE.bazel

@@ -3,6 +3,7 @@ module(
     version = "2.95.0",
 )
 
+bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "cpptoml", version = "0.1.1")
 bazel_dep(name = "platforms", version = "0.0.10")
 bazel_dep(name = "rules_cc", version = "0.0.9")

bazel/configure_file.bzl

@@ -19,12 +19,13 @@ The configure_file rule imitates the similar CMake function for template expansi
 """
 
 def _configure_file_impl(ctx):
+    config_all = dict(ctx.attr.config_constants, **ctx.attr.config_acl)
     ctx.actions.expand_template(
         template = ctx.file.src,
         output = ctx.outputs.out,
         substitutions = {
             "@" + k + "@": v
-            for k, v in ctx.attr.config.items()
+            for k, v in config_all.items()
         },
     )
     files = depset(direct = [ctx.outputs.out])
@@ -35,7 +36,8 @@ configure_file = rule(
     implementation = _configure_file_impl,
     provides = [DefaultInfo],
     attrs = {
-        "config": attr.string_dict(mandatory = True),
+        "config_acl": attr.string_dict(mandatory = False),
+        "config_constants": attr.string_dict(mandatory = True),
         "out": attr.output(mandatory = True),
         "src": attr.label(mandatory = True, allow_single_file = True),
     },

doc/website/advanced/configuration-guide.md

@@ -39,6 +39,46 @@ With that change, the footprint of the management segment is reduced to ~52.7 MB
 For larger use cases you can increase the value to avoid that samples are dropped
 on the subscriber side (see also [#615](https://github.com/eclipse-iceoryx/iceoryx/issues/615)).
 
+## ACL Feature Flag
+
+The ACL (Access Control List) feature is enabled by default on Linux and QNX platforms.
+If you want to disable this feature, you can control it through a build option.
+
+### Using CMake
+
+To disable the ACL feature in a CMake build, pass the following flag when configuring the project:
+
+```
+-DIOX_PLATFORM_FEATURE_ACL=OFF
+```
+
+### Using Bazel
+
+To disable the ACL feature in a Bazel build, use the following flag:
+```
+--//:feature_acl=off
+```
+
+For example:
+```
+bazel build --//:feature_acl=off //...
+```
+
+Alternatively, you can persist this setting in a `.bazelrc` file to apply it automatically in all builds:
+```
+build --//:feature_acl=off
+```
+
+This way, the ACL feature is disabled across builds without needing to pass the flag manually each time.
+
+> [!NOTE]
+> When using this flag in an external repository, you must prefix it with the repository's target name. For example:
+> ```
+> --@iceoryx//:feature_acl=off
+> ```
+>
+> This ensures that the flag is applied to the correct target from the imported repository.
+
 ## Configuring Mempools for RouDi
 
 RouDi supports several shared memory segments with different access rights, to

doc/website/release-notes/iceoryx-unreleased.md

@@ -69,6 +69,7 @@
 - Improve introspection-client interface by adding the number of ports in parentheses [#2299](https://github.com/eclipse-iceoryx/iceoryx/issues/2299)
 - Add std::atomic abstraction [#2329](https://github.com/eclipse-iceoryx/iceoryx/issues/2329)
 - Port iceoryx to bzlmod [#2325](https://github.com/eclipse-iceoryx/iceoryx/issues/2325)
+- Make ACL support optional [#1176](https://github.com/eclipse-iceoryx/iceoryx/issues/1176)
 
 **Bugfixes:**
 

iceoryx_hoofs/BUILD.bazel

@@ -21,7 +21,7 @@ configure_file(
     name = "iceoryx_hoofs_deployment_hpp",
     src = "cmake/iceoryx_hoofs_deployment.hpp.in",
     out = "generated/include/iox/iceoryx_hoofs_deployment.hpp",
-    config = {
+    config_constants = {
         "IOX_MAX_NAMED_PIPE_MESSAGE_SIZE": "4096",
         "IOX_MAX_NAMED_PIPE_NUMBER_OF_MESSAGES": "10",
         # FIXME: for values see "iceoryx_hoofs/cmake/IceoryxHoofsDeployment.cmake" ... for now some nice defaults
@@ -84,14 +84,13 @@ cc_library(
     linkopts = select({
         "//iceoryx_platform:linux-clang": [
             "-latomic",
-            "-lacl",
         ],
-        "//iceoryx_platform:linux-gcc": ["-lacl"],
+        "//iceoryx_platform:linux-gcc": [],
         "//iceoryx_platform:mac": [],
         "//iceoryx_platform:qnx": [],
         "//iceoryx_platform:unix": [],
         "//iceoryx_platform:win": [],
-        "//conditions:default": ["-lacl"],
+        "//conditions:default": [],
     }),
     visibility = ["//visibility:public"],
     deps = ["//iceoryx_platform"],

iceoryx_hoofs/CMakeLists.txt

@@ -43,7 +43,7 @@ iox_add_library(
     NAMESPACE                   iceoryx_hoofs
     PROJECT_PREFIX              ${PREFIX}
     PUBLIC_LIBS                 iceoryx_platform::iceoryx_platform
-    PRIVATE_LIBS_LINUX          acl atomic ${CODE_COVERAGE_LIBS}
+    PRIVATE_LIBS_LINUX          atomic ${CODE_COVERAGE_LIBS}
     BUILD_INTERFACE             ${PROJECT_SOURCE_DIR}/buffer/include
                                 ${PROJECT_SOURCE_DIR}/cli/include
                                 ${PROJECT_SOURCE_DIR}/concurrent/buffer/include

iceoryx_hoofs/cmake/IceoryxHoofsDeployment.cmake

@@ -31,6 +31,4 @@ configure_option(
     DEFAULT_VALUE 10
 )
 
-message(STATUS "[i] IOX_EXPERIMENTAL_POSH_FLAG: ${IOX_EXPERIMENTAL_POSH_FLAG}")
-
 message(STATUS "[i] <<<<<<<<<<<<<< End iceoryx_hoofs configuration: >>>>>>>>>>>>>>")

iceoryx_hoofs/posix/filesystem/source/posix_acl.cpp

@@ -64,7 +64,7 @@ bool PosixAcl::writePermissionsToFile(const int32_t fileDescriptor) const noexce
     }
 
     // check if acl is valid
-    auto aclCheckCall = IOX_POSIX_CALL(acl_valid)(workingACL.get()).successReturnValue(0).evaluate();
+    auto aclCheckCall = IOX_POSIX_CALL(iox_acl_valid)(workingACL.get()).successReturnValue(0).evaluate();
 
     if (aclCheckCall.has_error())
     {
@@ -73,7 +73,8 @@ bool PosixAcl::writePermissionsToFile(const int32_t fileDescriptor) const noexce
     }
 
     // set acl in the file given by descriptor
-    auto aclSetFdCall = IOX_POSIX_CALL(acl_set_fd)(fileDescriptor, workingACL.get()).successReturnValue(0).evaluate();
+    auto aclSetFdCall =
+        IOX_POSIX_CALL(iox_acl_set_fd)(fileDescriptor, workingACL.get()).successReturnValue(0).evaluate();
     if (aclSetFdCall.has_error())
     {
         IOX_LOG(ERROR, "Error: Could not set file ACL.");
@@ -86,7 +87,7 @@ bool PosixAcl::writePermissionsToFile(const int32_t fileDescriptor) const noexce
 expected<PosixAcl::smartAclPointer_t, PosixAcl::Error> PosixAcl::createACL(const int32_t numEntries) noexcept
 {
     // allocate memory for a new ACL
-    auto aclInitCall = IOX_POSIX_CALL(acl_init)(numEntries).failureReturnValue(nullptr).evaluate();
+    auto aclInitCall = IOX_POSIX_CALL(iox_acl_init)(numEntries).failureReturnValue(nullptr).evaluate();
 
     if (aclInitCall.has_error())
     {
@@ -95,7 +96,7 @@ expected<PosixAcl::smartAclPointer_t, PosixAcl::Error> PosixAcl::createACL(const
 
     // define how to free the memory (custom deleter for the smart pointer)
     function<void(acl_t)> freeACL = [&](acl_t acl) {
-        auto aclFreeCall = IOX_POSIX_CALL(acl_free)(acl).successReturnValue(0).evaluate();
+        auto aclFreeCall = IOX_POSIX_CALL(iox_acl_free)(acl).successReturnValue(0).evaluate();
         // We ensure here instead of returning as this lambda will be called by unique_ptr
         IOX_ENFORCE(!aclFreeCall.has_error(), "Could not free ACL memory");
     };
@@ -186,7 +187,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe
     acl_entry_t newEntry{};
     acl_t l_ACL{ACL};
 
-    auto aclCreateEntryCall = IOX_POSIX_CALL(acl_create_entry)(&l_ACL, &newEntry).successReturnValue(0).evaluate();
+    auto aclCreateEntryCall = IOX_POSIX_CALL(iox_acl_create_entry)(&l_ACL, &newEntry).successReturnValue(0).evaluate();
 
     if (aclCreateEntryCall.has_error())
     {
@@ -196,7 +197,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe
 
     // set tag type for new entry (user, group, ...)
     auto tagType = static_cast<acl_tag_t>(entry.m_category);
-    auto aclSetTagTypeCall = IOX_POSIX_CALL(acl_set_tag_type)(newEntry, tagType).successReturnValue(0).evaluate();
+    auto aclSetTagTypeCall = IOX_POSIX_CALL(iox_acl_set_tag_type)(newEntry, tagType).successReturnValue(0).evaluate();
 
     if (aclSetTagTypeCall.has_error())
     {
@@ -210,7 +211,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe
     case ACL_USER:
     {
         auto aclSetQualifierCall =
-            IOX_POSIX_CALL(acl_set_qualifier)(newEntry, &(entry.m_id)).successReturnValue(0).evaluate();
+            IOX_POSIX_CALL(iox_acl_set_qualifier)(newEntry, &(entry.m_id)).successReturnValue(0).evaluate();
 
         if (aclSetQualifierCall.has_error())
         {
@@ -223,7 +224,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe
     case ACL_GROUP:
     {
         auto aclSetQualifierCall =
-            IOX_POSIX_CALL(acl_set_qualifier)(newEntry, &(entry.m_id)).successReturnValue(0).evaluate();
+            IOX_POSIX_CALL(iox_acl_set_qualifier)(newEntry, &(entry.m_id)).successReturnValue(0).evaluate();
 
         if (aclSetQualifierCall.has_error())
         {
@@ -241,7 +242,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe
     acl_permset_t entryPermissionSet{};
 
     auto aclGetPermsetCall =
-        IOX_POSIX_CALL(acl_get_permset)(newEntry, &entryPermissionSet).successReturnValue(0).evaluate();
+        IOX_POSIX_CALL(iox_acl_get_permset)(newEntry, &entryPermissionSet).successReturnValue(0).evaluate();
 
     if (aclGetPermsetCall.has_error())
     {
@@ -280,7 +281,7 @@ bool PosixAcl::createACLEntry(const acl_t ACL, const PermissionEntry& entry) noe
 
 bool PosixAcl::addAclPermission(acl_permset_t permset, acl_perm_t perm) noexcept
 {
-    auto aclAddPermCall = IOX_POSIX_CALL(acl_add_perm)(permset, perm).successReturnValue(0).evaluate();
+    auto aclAddPermCall = IOX_POSIX_CALL(iox_acl_add_perm)(permset, perm).successReturnValue(0).evaluate();
 
     if (aclAddPermCall.has_error())
     {

iceoryx_hoofs/test/moduletests/test_posix_filesystem_posix_acl.cpp

@@ -15,10 +15,12 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-#if defined(__linux__)
+#include "iox/detail/posix_acl.hpp"
+
+#if IOX_FEATURE_ACL
+
 #include "iceoryx_platform/pwd.hpp"
 #include "iceoryx_platform/stat.hpp"
-#include "iox/detail/posix_acl.hpp"
 #include "iox/posix_call.hpp"
 #include "test.hpp"
 
@@ -300,4 +302,5 @@ TEST_F(PosixAcl_test, addStrangeNames)
     EXPECT_FALSE(entryAdded);
 }
 } // namespace
-#endif
+
+#endif // IOX_FEATURE_ACL