Re: [PATCH 4/6] acl: move idmapping handling into posix_acl_xattr_set()

[Seth Forshee <sforshee@digitalocean.com>]

On Mon, Aug 29, 2022 at 02:38:43PM +0200, Christian Brauner wrote:
> The uapi POSIX ACL struct passed through the value argument during
> setxattr() contains {g,u}id values encoded via ACL_{GROUP,USER} entries
> that should actually be stored in the form of k{g,u}id_t (See [1] for a
> long explanation of the issue.).
> 
> In 0c5fd887d2bb ("acl: move idmapped mount fixup into vfs_{g,s}etxattr()")
> we took the mount's idmapping into account in order to let overlayfs
> handle POSIX ACLs on idmapped layers correctly. The fixup is currently
> performed directly in vfs_setxattr() which piles on top of the earlier
> hackiness by handling the mount's idmapping and stuff the vfs{g,u}id_t
> values into the uapi struct as well. While that is all correct and works
> fine it's just ugly.
> 
> Now that we have introduced vfs_make_posix_acl() earlier move handling
> idmapped mounts out of vfs_setxattr() and into the POSIX ACL handler
> where it belongs.
> 
> Note that we also need to call vfs_make_posix_acl() for EVM which
> interpretes POSIX ACLs during security_inode_setxattr(). Leave them a
> longer comment for future reference.
> 
> All filesystems that support idmapped mounts via FS_ALLOW_IDMAP use the
> standard POSIX ACL xattr handlers and are covered by this change. This
> includes overlayfs which simply calls vfs_{g,s}etxattr().
> 
> The following filesystems use custom POSIX ACL xattr handlers: 9p, cifs,
> ecryptfs, and ntfs3 (and overlayfs but we've covered that in the paragraph
> above) and none of them support idmapped mounts yet.
> 
> Link: https://lore.kernel.org/all/20220801145520.1532837-1-brauner@kernel.org/ [1]
> Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>

Reviewed-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org>