[v2,04/30] fs: add new get acl method

Message ID	20220926140827.142806-5-brauner@kernel.org (mailing list archive)
State	Superseded
Delegated to:	Paul Moore
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Christian Brauner <brauner@kernel.org> To: linux-fsdevel@vger.kernel.org Cc: Christian Brauner <brauner@kernel.org>, Seth Forshee <sforshee@kernel.org>, Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>, linux-security-module@vger.kernel.org Subject: [PATCH v2 04/30] fs: add new get acl method Date: Mon, 26 Sep 2022 16:08:01 +0200 Message-Id: <20220926140827.142806-5-brauner@kernel.org> In-Reply-To: <20220926140827.142806-1-brauner@kernel.org> References: <20220926140827.142806-1-brauner@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	acl: add vfs posix acl api \| expand [v2,00/30] acl: add vfs posix acl api [v2,01/30] orangefs: rework posix acl handling when creating new filesystem objects [v2,02/30] fs: pass dentry to set acl method [v2,03/30] fs: rename current get acl method [v2,04/30] fs: add new get acl method [v2,05/30] cifs: implement get acl method [v2,06/30] cifs: implement set acl method [v2,07/30] 9p: implement get acl method [v2,08/30] 9p: implement set acl method [v2,09/30] acl: add vfs_set_acl() [v2,10/30] security: add set acl hook [v2,11/30] selinux: implement set acl hook [v2,12/30] smack: implement set acl hook [v2,13/30] evm: implement set acl hook [v2,14/30] acl: use set acl hook [v2,15/30] evm: add post set acl hook [v2,16/30] acl: add vfs_get_acl() [v2,17/30] acl: add vfs_remove_acl() [v2,18/30] evm: simplify evm_xattr_acl_change() [v2,19/30] ksmbd: use vfs_remove_acl() [v2,20/30] ecryptfs: implement get acl method [v2,21/30] ecryptfs: implement set acl method [v2,22/30] ovl: implement get acl method [v2,23/30] ovl: implement set acl method [v2,24/30] ovl: use posix acl api [v2,25/30] xattr: use posix acl api [v2,26/30] ecryptfs: use stub posix acl handlers [v2,27/30] ovl: use stub posix acl handlers [v2,28/30] cifs: use stub posix acl handlers [v2,29/30] 9p: use stub posix acl handlers [v2,30/30] acl: remove a slew of now unused helpers

Message ID

20220926140827.142806-5-brauner@kernel.org (mailing list archive)

State

Superseded

Delegated to:

Paul Moore

Headers

From: Christian Brauner <brauner@kernel.org>
To: linux-fsdevel@vger.kernel.org
Cc: Christian Brauner <brauner@kernel.org>,
        Seth Forshee <sforshee@kernel.org>,
        Christoph Hellwig <hch@lst.de>,
        Al Viro <viro@zeniv.linux.org.uk>,
        linux-security-module@vger.kernel.org
Subject: [PATCH v2 04/30] fs: add new get acl method
Date: Mon, 26 Sep 2022 16:08:01 +0200
Message-Id: <20220926140827.142806-5-brauner@kernel.org>
In-Reply-To: <20220926140827.142806-1-brauner@kernel.org>
References: <20220926140827.142806-1-brauner@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

acl: add vfs posix acl api | expand

Commit Message

Christian Brauner Sept. 26, 2022, 2:08 p.m. UTC

The current way of setting and getting posix acls through the generic
xattr interface is error prone and type unsafe. The vfs needs to
interpret and fixup posix acls before storing or reporting it to
userspace. Various hacks exist to make this work. The code is hard to
understand and difficult to maintain in it's current form. Instead of
making this work by hacking posix acls through xattr handlers we are
building a dedicated posix acl api around the get and set inode
operations. This removes a lot of hackiness and makes the codepaths
easier to maintain. A lot of background can be found in [1].

Since some filesystem rely on the dentry being available to them when
setting posix acls (e.g., 9p and cifs) they cannot rely on the old get
acl inode operation to retrieve posix acl and need to implement their
own custom handlers because of that.

In a previous patch we renamed the old get acl inode operation to
->get_inode_acl(). We decided to rename it and implement a new one since
->get_inode_acl() is called generic_permission() and inode_permission()
both of which can be called during an filesystem's ->permission()
handler. So simply passing a dentry argument to ->get_acl() would have
amounted to also having to pass a dentry argument to ->permission(). We
avoided that change.

This adds a new ->get_acl() inode operations which takes a dentry
argument which filesystems such as 9p, cifs, and overlayfs can implement
to get posix acls.

Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org [1]
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
---

Notes:
    /* v2 */
    unchanged

 Documentation/filesystems/locking.rst | 2 ++
 Documentation/filesystems/vfs.rst     | 1 +
 include/linux/fs.h                    | 2 ++
 3 files changed, 5 insertions(+)

diff --git a/Documentation/filesystems/locking.rst b/Documentation/filesystems/locking.rst
index 1cd2930e54ee..4a0fcaeec58c 100644
--- a/Documentation/filesystems/locking.rst
+++ b/Documentation/filesystems/locking.rst
@@ -83,6 +83,7 @@  prototypes::
 	int (*fileattr_set)(struct user_namespace *mnt_userns,
 			    struct dentry *dentry, struct fileattr *fa);
 	int (*fileattr_get)(struct dentry *dentry, struct fileattr *fa);
+	struct posix_acl * (*get_acl)(struct user_namespace *, struct dentry *, int);
 
 locking rules:
 	all may block
@@ -104,6 +105,7 @@  get_link:	no
 setattr:	exclusive
 permission:	no (may not block if called in rcu-walk mode)
 get_inode_acl:	no
+get_acl:	no
 getattr:	no
 listxattr:	no
 fiemap:		no
diff --git a/Documentation/filesystems/vfs.rst b/Documentation/filesystems/vfs.rst
index 4fc6f1e23012..344f5f421c64 100644
--- a/Documentation/filesystems/vfs.rst
+++ b/Documentation/filesystems/vfs.rst
@@ -440,6 +440,7 @@  As of kernel 2.6.22, the following members are defined:
 		int (*atomic_open)(struct inode *, struct dentry *, struct file *,
 				   unsigned open_flag, umode_t create_mode);
 		int (*tmpfile) (struct user_namespace *, struct inode *, struct dentry *, umode_t);
+		struct posix_acl * (*get_acl)(struct user_namespace *, struct dentry *, int);
 	        int (*set_acl)(struct user_namespace *, struct inode *, struct posix_acl *, int);
 		int (*fileattr_set)(struct user_namespace *mnt_userns,
 				    struct dentry *dentry, struct fileattr *fa);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 11cddd040578..badff81b9dde 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2168,6 +2168,8 @@  struct inode_operations {
 			   umode_t create_mode);
 	int (*tmpfile) (struct user_namespace *, struct inode *,
 			struct dentry *, umode_t);
+	struct posix_acl *(*get_acl)(struct user_namespace *, struct dentry *,
+				     int);
 	int (*set_acl)(struct user_namespace *, struct dentry *,
 		       struct posix_acl *, int);
 	int (*fileattr_set)(struct user_namespace *mnt_userns,

[v2,04/30] fs: add new get acl method

Commit Message

Patch