| Message ID | 20220829123843.1146874-6-brauner@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | acl: rework idmap handling when setting posix acls | expand |
[Sorry, forgot to Cc ovl developers on accident.] On Mon, Aug 29, 2022 at 02:38:44PM +0200, Christian Brauner wrote: > The posix_acl_from_xattr() helper should mainly be used in > i_op->get_acl() handlers. It translates from the uapi struct into the > kernel internal POSIX ACL representation and doesn't care about mount > idmappings. > > Use the vfs_set_acl_prepare() helper to generate a kernel internal POSIX > ACL representation in struct posix_acl format taking care to map from > the mount idmapping into the filesystem's idmapping. > > The returned struct posix_acl is in the correct format to be cached by > the VFS or passed to the filesystem's i_op->set_acl() method to write to > the backing store. > > Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org> > --- > fs/overlayfs/super.c | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > > diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c > index ec746d447f1b..5da771b218d1 100644 > --- a/fs/overlayfs/super.c > +++ b/fs/overlayfs/super.c > @@ -1022,7 +1022,20 @@ ovl_posix_acl_xattr_set(const struct xattr_handler *handler, > > /* Check that everything is OK before copy-up */ > if (value) { > - acl = posix_acl_from_xattr(&init_user_ns, value, size); > + /* The above comment can be understood in two ways: > + * > + * 1. We just want to check whether the basic POSIX ACL format > + * is ok. For example, if the header is correct and the size > + * is sane. > + * 2. We want to know whether the ACL_{GROUP,USER} entries can > + * be mapped according to the underlying filesystem. > + * > + * Currently, we only check 1. If we wanted to check 2. we > + * would need to pass the mnt_userns and the fs_userns of the > + * underlying filesystem. But frankly, I think checking 1. is > + * enough to start the copy-up. > + */ > + acl = vfs_set_acl_prepare(&init_user_ns, &init_user_ns, value, size); > if (IS_ERR(acl)) > return PTR_ERR(acl); > } > -- > 2.34.1 >
On Mon, Aug 29, 2022 at 02:38:44PM +0200, Christian Brauner wrote: > The posix_acl_from_xattr() helper should mainly be used in > i_op->get_acl() handlers. It translates from the uapi struct into the > kernel internal POSIX ACL representation and doesn't care about mount > idmappings. > > Use the vfs_set_acl_prepare() helper to generate a kernel internal POSIX > ACL representation in struct posix_acl format taking care to map from > the mount idmapping into the filesystem's idmapping. > > The returned struct posix_acl is in the correct format to be cached by > the VFS or passed to the filesystem's i_op->set_acl() method to write to > the backing store. > > Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org> Reviewed-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org>
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c index ec746d447f1b..5da771b218d1 100644 --- a/fs/overlayfs/super.c +++ b/fs/overlayfs/super.c @@ -1022,7 +1022,20 @@ ovl_posix_acl_xattr_set(const struct xattr_handler *handler, /* Check that everything is OK before copy-up */ if (value) { - acl = posix_acl_from_xattr(&init_user_ns, value, size); + /* The above comment can be understood in two ways: + * + * 1. We just want to check whether the basic POSIX ACL format + * is ok. For example, if the header is correct and the size + * is sane. + * 2. We want to know whether the ACL_{GROUP,USER} entries can + * be mapped according to the underlying filesystem. + * + * Currently, we only check 1. If we wanted to check 2. we + * would need to pass the mnt_userns and the fs_userns of the + * underlying filesystem. But frankly, I think checking 1. is + * enough to start the copy-up. + */ + acl = vfs_set_acl_prepare(&init_user_ns, &init_user_ns, value, size); if (IS_ERR(acl)) return PTR_ERR(acl); }
The posix_acl_from_xattr() helper should mainly be used in i_op->get_acl() handlers. It translates from the uapi struct into the kernel internal POSIX ACL representation and doesn't care about mount idmappings. Use the vfs_set_acl_prepare() helper to generate a kernel internal POSIX ACL representation in struct posix_acl format taking care to map from the mount idmapping into the filesystem's idmapping. The returned struct posix_acl is in the correct format to be cached by the VFS or passed to the filesystem's i_op->set_acl() method to write to the backing store. Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org> --- fs/overlayfs/super.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-)