From: Seth Forshee <sforshee@digitalocean.com>
To: Christian Brauner <brauner@kernel.org>
Cc: Amir Goldstein <amir73il@gmail.com>,
Miklos Szeredi <mszeredi@redhat.com>,
Vivek Goyal <vgoyal@redhat.com>, Christoph Hellwig <hch@lst.de>,
Aleksa Sarai <cyphar@cyphar.com>,
linux-unionfs@vger.kernel.org
Subject: Re: [PATCH v2 3/3] ovl: handle idmappings in ovl_get_acl()
Date: Thu, 14 Jul 2022 16:37:40 -0500 [thread overview]
Message-ID: <YtCMpAM0OY78m5LK@do-x1extreme> (raw)
In-Reply-To: <20220708090134.385160-4-brauner@kernel.org>
On Fri, Jul 08, 2022 at 11:01:34AM +0200, Christian Brauner wrote:
> During permission checking overlayfs will call
>
> ovl_permission()
> -> generic_permission()
> -> acl_permission_check()
> -> check_acl()
> -> get_acl()
> -> inode->i_op->get_acl() == ovl_get_acl()
> -> get_acl() /* on the underlying filesystem */
> -> inode->i_op->get_acl() == /*lower filesystem callback */
> -> posix_acl_permission()
>
> passing through the get_acl() request to the underlying filesystem.
>
> Before returning these values to the VFS we need to take the idmapping of the
> relevant layer into account and translate any ACL_{GROUP,USER} values according
> to the idmapped mount.
>
> We cannot alter the ACLs returned from the relevant layer directly as that
> would alter the cached values filesystem wide for the lower filesystem. Instead
> we can clone the ACLs and then apply the relevant idmapping of the layer.
>
> This is obviously only relevant when idmapped layers are used.
>
> Cc: Seth Forshee <sforshee@digitalocean.com>
> Cc: Amir Goldstein <amir73il@gmail.com>
> Cc: Vivek Goyal <vgoyal@redhat.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Aleksa Sarai <cyphar@cyphar.com>
> Cc: Miklos Szeredi <mszeredi@redhat.com>
> Cc: linux-unionfs@vger.kernel.org
> Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Reviewed-by: Seth Forshee <sforshee@digitalocean.com>
next prev parent reply other threads:[~2022-07-14 21:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-08 9:01 [PATCH v2 0/3] ovl: acl fixes Christian Brauner
2022-07-08 9:01 ` [PATCH v2 1/3] acl: move idmapped mount fixup into vfs_{g,s}etxattr() Christian Brauner
2022-07-14 21:36 ` Seth Forshee
2022-07-08 9:01 ` [PATCH v2 2/3] acl: make posix_acl_clone() available to overlayfs Christian Brauner
2022-07-14 21:36 ` Seth Forshee
2022-07-08 9:01 ` [PATCH v2 3/3] ovl: handle idmappings in ovl_get_acl() Christian Brauner
2022-07-14 21:37 ` Seth Forshee [this message]
2022-07-13 10:18 ` [PATCH v2 0/3] ovl: acl fixes Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YtCMpAM0OY78m5LK@do-x1extreme \
--to=sforshee@digitalocean.com \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=cyphar@cyphar.com \
--cc=hch@lst.de \
--cc=linux-unionfs@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.