All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dave Chinner <david@fromorbit.com>
To: Andreas Gruenbacher <agruenba@redhat.com>
Cc: Brian Foster <bfoster@redhat.com>, xfs@oss.sgi.com
Subject: Re: [PATCH 3/4] xfs: SGI ACLs: Map uid/gid namespaces
Date: Wed, 28 Oct 2015 09:37:24 +1100	[thread overview]
Message-ID: <20151027223724.GM19199@dastard> (raw)
In-Reply-To: <CAHc6FU4+z_1EqJHHpv7yPgO_s6k2gpcmq_zBofYyudAtK-bFyg@mail.gmail.com>

On Tue, Oct 27, 2015 at 10:10:26PM +0100, Andreas Gruenbacher wrote:
> On Tue, Oct 27, 2015 at 8:55 PM, Dave Chinner <david@fromorbit.com> wrote:
> > On Tue, Oct 27, 2015 at 04:55:22PM +0100, Andreas Gruenbacher wrote:
> > But now that I've thought about this a bit more, I don't think that
> > the changes you've made are correct - we shouldn't be doing uid/gid
> > namespace conversion in disk formating functions. That is, the
> > conversion of user/group types should be done at the incoming layers
> > (i.e. at VFS/ioctl layers), not deep in the guts of the XFS code.
> 
> There are two kinds of code paths where we need to convert between the
> SGI_ACL and the kernel's in-memory representation (struct posix_acl
> *): one is in the get_acl and set_acl iops, converting to/from the
> actual on-disk attrbutes, and the actual IDs stay the same. The other
> is in the get and set SGI_ACL xattr handlers which are invoked from
> the getxattr and setxattr iops. The conversion there is to/from the
> user-facing SGI_ACL xattrs, and ID mappings may be in effect.

And then we have the ioctls XFS_IOC_ATTRLIST_BY_HANDLE and
XFS_IOC_ATTRMULTI_BY_HANDLE which can directly access the ACL xattrs
without even going through the the getxattr and setxattr iops. They
go direct to xfs_attr_get/xfs_attr_set() and set/return the xattrs
with *exactly* what the caller/on-disk xattr provides.

IOWs, you've only addressed one possible vector for direct access to
the SGI_ACL xattrs....

> The VFS doesn't know anything about the SGI_ACL attributes, so XFS
> will have to do the ID mappings itself. We could convert the IDS
> in-place in separate pre- / post-passes over the xattr value and leave
> xfs_acl_from_disk and xfs_acl_to_disk alone. That's what the VFS does
> for POSIX ACLs. The problem there is that the setxattr iop and set
> xattr handler give us a const void * value; we cannot modify it
> without casting const away. Hence the additional namespace parameter
> to xfs_acl_from_disk and xfs_acl_to_disk instead.

Yes, I read your patches - you take a low level disk formating
function and make it also work as a high level conversion function
through a different interface that has no higher level conversion
interface. i.e. you're changing the user visible behaviour of
writing a specific xattr.

But I think it's also wrong: users are not supposed to manipulate
SGI_ACL_FILE/SGI_ACL_DEFAULT xattrs directly.  Just because root can
see them doesn't mean users should be touching them - users should
be using the kernel posix ACL interface/namespace to modify their
ACLs.

OTOH, xfsdump/restore require direct, unfiltered access to set
uid/gid/mode/xattrs exactly as they are found. Changing that
behaviour like your change does will break xfsdump/restore and
breaking userspace is not a negotiable option.

> > Why do you think we added the wrappers in the first place? It was
> > because the ns maintainer refused to follow standard, self
> > documenting type conversion naming conventions of <type>_to_<type>
> > so we added them ourselves. The user namespace code is horrible
> > enough without adding confusing type change functions everywhere...
> 
> Well, so far these functions were at least hiding the &init_user_ns
> part, they didn't just introduce XFS specific names for generic
> things.

That was precisely the reason they were introduced - the higher
levels should already be doing namespace conversions before anything
gets to the filesystem disk formatting routines. Hence the
&init_user_ns bullshit for getting a raw uid is just noise.

> It would be sad if every subsystem introduced their own names
> when they don't like the generic ones.

It was a symptom of the much larger problem: the userns maintainer
refusing or ignoring *all* requests to change anything or answer any
questions about how things like dump/restore is supposed to work
across user namespaces. Hence, for better or for worse, we were
forced to make up our own rules on how dump/restore and mapped ids
are supposed to interact....

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

  reply	other threads:[~2015-10-27 22:37 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-23 13:52 Inconsistencies with trusted.SGI_ACL_{FILE,DEFAULT} Andreas Gruenbacher
2015-10-24 12:57 ` Brian Foster
2015-10-24 13:58   ` Andreas Gruenbacher
2015-10-24 15:22     ` Brian Foster
2015-10-24 15:36       ` Brian Foster
2015-10-24 21:05       ` Andreas Gruenbacher
2015-10-24 21:16         ` [PATCH 0/4] xfs: SGI ACL Fixes Andreas Gruenbacher
2015-10-24 21:16           ` [PATCH 1/4] xfs: Validate the length of on-disk ACLs Andreas Gruenbacher
2015-10-24 21:16           ` [PATCH 2/4] xfs: SGI ACLs: Fix caching and mode setting Andreas Gruenbacher
2015-10-26 14:02             ` Brian Foster
2015-10-26 15:39               ` Andreas Gruenbacher
2015-10-26 19:00                 ` Brian Foster
2015-10-24 21:16           ` [PATCH 3/4] xfs: SGI ACLs: Map uid/gid namespaces Andreas Gruenbacher
2015-10-26 21:46             ` Dave Chinner
2015-10-27 15:55               ` Andreas Gruenbacher
2015-10-27 19:55                 ` Dave Chinner
2015-10-27 21:10                   ` Andreas Gruenbacher
2015-10-27 22:37                     ` Dave Chinner [this message]
2015-10-27 23:38                       ` Andreas Gruenbacher
2015-10-24 21:16           ` [PATCH 4/4] xfs: SGI ACLs: Prepare for richacls Andreas Gruenbacher
2015-10-26 20:15             ` Andreas Gruenbacher
2015-10-26 14:02           ` [PATCH 0/4] xfs: SGI ACL Fixes Brian Foster
2015-10-26 21:32       ` Inconsistencies with trusted.SGI_ACL_{FILE,DEFAULT} Dave Chinner
2015-10-26 23:52         ` Andreas Gruenbacher
2015-10-27  5:30           ` Dave Chinner
2015-10-27 10:56             ` Andreas Gruenbacher
2015-10-27 20:18               ` Dave Chinner
2015-10-27 21:39                 ` Andreas Gruenbacher
2015-10-27 22:38                   ` Dave Chinner
2015-10-27 11:31             ` Brian Foster

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151027223724.GM19199@dastard \
    --to=david@fromorbit.com \
    --cc=agruenba@redhat.com \
    --cc=bfoster@redhat.com \
    --cc=xfs@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.