From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mail-oi0-f52.google.com ([209.85.218.52]:35152 "EHLO
	mail-oi0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932090AbcGAUEA (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Fri, 1 Jul 2016 16:04:00 -0400
Received: by mail-oi0-f52.google.com with SMTP id r2so125053655oih.2
        for <linux-fsdevel@vger.kernel.org>; Fri, 01 Jul 2016 13:03:59 -0700 (PDT)
Date: Fri, 1 Jul 2016 14:58:56 -0500
From: Seth Forshee <seth.forshee@canonical.com>
To: fuse-devel@lists.sourceforge.net, linux-fsdevel@vger.kernel.org,
	Miklos Szeredi <miklos@szeredi.hu>,
	"Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: [RFC] fuse: Support posix ACLs
Message-ID: <20160701195856.GC67600@ubuntu-hedt>
References: <20160629190731.GF53123@ubuntu-hedt>
 <87k2h59my3.fsf@thinkpad.rath.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87k2h59my3.fsf@thinkpad.rath.org>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Fri, Jul 01, 2016 at 12:29:24PM -0700, Nikolaus Rath wrote:
> On Jun 29 2016, Seth Forshee <seth.forshee@canonical.com> wrote:
> > Eric and I are working towards adding support for fuse mounts in
> > non-init user namespaces. Towards that end we'd like to add ACL support
> > to fuse as this will allow for a cleaner implementation overall. Below
> > is an initial patch to support this. I'd like to get some general
> > feedback on this patch and ask a couple of specific questions.
> >
> > There are some indications that fuse supports ACLs on the userspace side
> > when default_permissions is not used (though I'm not seeing how that
> > works). Will these changes conflict with that support, and if how do we
> > avoid those conflicts?
> >
> I think as long as the kernel interprets ACLs only if default_permission
> is used, you should be fine.

With !default_permission fuse never calls generic_permission so the
kernel won't enforce the acls regardless. For the purpose of user
namespace mounts it's still useful if the kernel intercepts them so that
the posix acl layer can do the uid/gid translation before passing it to
the filesystem. The xattrs still get sent on to the filesystem, however
cached acls if present would be used to satisfy reads of the acl xatts.

Thanks,
Seth