From: Christian Brauner <brauner@kernel.org>
To: linux-fsdevel@vger.kernel.org
Cc: Christian Brauner <brauner@kernel.org>,
Seth Forshee <sforshee@kernel.org>,
Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
Miklos Szeredi <miklos@szeredi.hu>,
Amir Goldstein <amir73il@gmail.com>,
linux-unionfs@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v2 24/30] ovl: use posix acl api
Date: Mon, 26 Sep 2022 16:08:21 +0200 [thread overview]
Message-ID: <20220926140827.142806-25-brauner@kernel.org> (raw)
In-Reply-To: <20220926140827.142806-1-brauner@kernel.org>
Now that posix acls have a proper api us it to copy them.
All filesystems that can serve as lower or upper layers for overlayfs
have gained support for the new posix acl api in previous patches.
So switch all internal overlayfs codepaths for copying posix acls to the
new posix acl api.
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
---
Notes:
/* v2 */
Miklos Szeredi <miklos@szeredi.hu>:
- Move ovl_copy_acl() from util.c to copy_up.c
- Unconditionally clone posix acls
fs/overlayfs/copy_up.c | 38 ++++++++++++++++++++++++++++++++++++++
fs/overlayfs/dir.c | 20 ++------------------
fs/overlayfs/inode.c | 4 ++--
fs/overlayfs/overlayfs.h | 7 +++++++
fs/overlayfs/super.c | 6 ++----
fs/xattr.c | 6 ------
include/linux/xattr.h | 6 ++++++
7 files changed, 57 insertions(+), 30 deletions(-)
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index fdde6c56cc3d..f2e36c841d6f 100644
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -44,6 +44,35 @@ static bool ovl_must_copy_xattr(const char *name)
!strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN);
}
+static int ovl_copy_acl(struct ovl_fs *ofs, const struct path *path,
+ struct dentry *dentry, const char *acl_name)
+{
+ int err;
+ struct posix_acl *clone, *real_acl = NULL;
+
+ real_acl = ovl_get_acl_path(path, acl_name);
+ if (!real_acl)
+ return 0;
+
+ if (IS_ERR(real_acl)) {
+ err = PTR_ERR(real_acl);
+ if (err == -ENODATA || err == -EOPNOTSUPP)
+ return 0;
+ return err;
+ }
+
+ clone = posix_acl_clone(real_acl, GFP_KERNEL);
+ posix_acl_release(real_acl); /* release original acl */
+ if (!clone)
+ return -ENOMEM;
+
+ err = ovl_do_set_acl(ofs, dentry, acl_name, clone);
+
+ /* release cloned acl */
+ posix_acl_release(clone);
+ return err;
+}
+
int ovl_copy_xattr(struct super_block *sb, struct path *oldpath, struct dentry *new)
{
struct dentry *old = oldpath->dentry;
@@ -93,6 +122,15 @@ int ovl_copy_xattr(struct super_block *sb, struct path *oldpath, struct dentry *
error = 0;
continue; /* Discard */
}
+
+ if (is_posix_acl_xattr(name)) {
+ error = ovl_copy_acl(OVL_FS(sb), oldpath, new, name);
+ if (!error)
+ continue;
+ /* POSIX ACLs must be copied. */
+ break;
+ }
+
retry:
size = ovl_do_getxattr(oldpath, name, value, value_size);
if (size == -ERANGE)
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 0e817ebce92c..cbb569d5d234 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -435,28 +435,12 @@ static struct dentry *ovl_clear_empty(struct dentry *dentry,
}
static int ovl_set_upper_acl(struct ovl_fs *ofs, struct dentry *upperdentry,
- const char *name, const struct posix_acl *acl)
+ const char *acl_name, struct posix_acl *acl)
{
- void *buffer;
- size_t size;
- int err;
-
if (!IS_ENABLED(CONFIG_FS_POSIX_ACL) || !acl)
return 0;
- size = posix_acl_xattr_size(acl->a_count);
- buffer = kmalloc(size, GFP_KERNEL);
- if (!buffer)
- return -ENOMEM;
-
- err = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
- if (err < 0)
- goto out_free;
-
- err = ovl_do_setxattr(ofs, upperdentry, name, buffer, size, XATTR_CREATE);
-out_free:
- kfree(buffer);
- return err;
+ return ovl_do_set_acl(ofs, upperdentry, acl_name, acl);
}
static int ovl_create_over_whiteout(struct dentry *dentry, struct inode *inode,
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index fc4c2d821343..12b34b01ed54 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -550,8 +550,8 @@ struct posix_acl *ovl_get_inode_acl(struct inode *inode, int type, bool rcu)
return clone;
}
-static struct posix_acl *ovl_get_acl_path(const struct path *path,
- const char *acl_name)
+struct posix_acl *ovl_get_acl_path(const struct path *path,
+ const char *acl_name)
{
struct posix_acl *real_acl, *clone;
struct user_namespace *mnt_userns;
diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
index b2645baeba2f..f3b6d6625604 100644
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -614,10 +614,17 @@ int ovl_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry,
void ovl_idmap_posix_acl(struct inode *realinode,
struct user_namespace *mnt_userns,
struct posix_acl *acl);
+struct posix_acl *ovl_get_acl_path(const struct path *path,
+ const char *acl_name);
#else
#define ovl_get_inode_acl NULL
#define ovl_get_acl NULL
#define ovl_set_acl NULL
+static inline struct posix_acl *ovl_get_acl_path(const struct path *path,
+ const char *acl_name)
+{
+ return NULL;
+}
#endif
int ovl_update_time(struct inode *inode, struct timespec64 *ts, int flags);
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index 5da771b218d1..8a13319db1d3 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -812,13 +812,11 @@ static struct dentry *ovl_workdir_create(struct ovl_fs *ofs,
* allowed as upper are limited to "normal" ones, where checking
* for the above two errors is sufficient.
*/
- err = ovl_do_removexattr(ofs, work,
- XATTR_NAME_POSIX_ACL_DEFAULT);
+ err = ovl_do_remove_acl(ofs, work, XATTR_NAME_POSIX_ACL_DEFAULT);
if (err && err != -ENODATA && err != -EOPNOTSUPP)
goto out_dput;
- err = ovl_do_removexattr(ofs, work,
- XATTR_NAME_POSIX_ACL_ACCESS);
+ err = ovl_do_remove_acl(ofs, work, XATTR_NAME_POSIX_ACL_ACCESS);
if (err && err != -ENODATA && err != -EOPNOTSUPP)
goto out_dput;
diff --git a/fs/xattr.c b/fs/xattr.c
index e16d7bde4935..0b9a84921c4d 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -281,12 +281,6 @@ __vfs_setxattr_locked(struct user_namespace *mnt_userns, struct dentry *dentry,
}
EXPORT_SYMBOL_GPL(__vfs_setxattr_locked);
-static inline bool is_posix_acl_xattr(const char *name)
-{
- return (strcmp(name, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
- (strcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT) == 0);
-}
-
int
vfs_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
const char *name, const void *value, size_t size, int flags)
diff --git a/include/linux/xattr.h b/include/linux/xattr.h
index 8267e547e631..d44d59177026 100644
--- a/include/linux/xattr.h
+++ b/include/linux/xattr.h
@@ -22,6 +22,12 @@
struct inode;
struct dentry;
+static inline bool is_posix_acl_xattr(const char *name)
+{
+ return (strcmp(name, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
+ (strcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT) == 0);
+}
+
/*
* struct xattr_handler: When @name is set, match attributes with exactly that
* name. When @prefix is set instead, match attributes with that prefix and
--
2.34.1
next prev parent reply other threads:[~2022-09-26 15:25 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-26 14:07 [PATCH v2 00/30] acl: add vfs posix acl api Christian Brauner
2022-09-26 14:07 ` [PATCH v2 01/30] orangefs: rework posix acl handling when creating new filesystem objects Christian Brauner
2022-09-26 14:07 ` [PATCH v2 02/30] fs: pass dentry to set acl method Christian Brauner
2022-09-26 14:08 ` [PATCH v2 03/30] fs: rename current get " Christian Brauner
2022-09-26 14:08 ` [PATCH v2 04/30] fs: add new " Christian Brauner
2022-09-26 14:08 ` [PATCH v2 05/30] cifs: implement " Christian Brauner
2022-09-26 14:08 ` [PATCH v2 06/30] cifs: implement set " Christian Brauner
2022-09-26 14:08 ` [PATCH v2 07/30] 9p: implement get " Christian Brauner
2022-09-26 14:08 ` [PATCH v2 08/30] 9p: implement set " Christian Brauner
2022-09-26 14:08 ` [PATCH v2 09/30] acl: add vfs_set_acl() Christian Brauner
2022-09-26 14:08 ` [PATCH v2 10/30] security: add set acl hook Christian Brauner
2022-09-27 22:55 ` Paul Moore
2022-09-26 14:08 ` [PATCH v2 11/30] selinux: implement " Christian Brauner
2022-09-27 22:55 ` Paul Moore
2022-09-26 14:08 ` [PATCH v2 12/30] smack: " Christian Brauner
2022-09-27 22:56 ` Paul Moore
2022-09-27 23:15 ` Casey Schaufler
2022-09-26 14:08 ` [PATCH v2 13/30] evm: " Christian Brauner
2022-09-27 22:56 ` Paul Moore
2022-09-26 14:08 ` [PATCH v2 14/30] acl: use " Christian Brauner
2022-09-27 22:56 ` Paul Moore
2022-09-26 14:08 ` [PATCH v2 15/30] evm: add post " Christian Brauner
2022-09-27 22:56 ` Paul Moore
2022-09-26 14:08 ` [PATCH v2 16/30] acl: add vfs_get_acl() Christian Brauner
2022-09-27 22:55 ` Paul Moore
2022-09-28 7:40 ` Christian Brauner
2022-09-28 14:58 ` Paul Moore
2022-09-28 15:12 ` Christian Brauner
2022-09-28 15:27 ` Paul Moore
2022-09-26 14:08 ` [PATCH v2 17/30] acl: add vfs_remove_acl() Christian Brauner
2022-09-27 22:55 ` Paul Moore
2022-09-28 7:41 ` Christian Brauner
2022-09-26 14:08 ` [PATCH v2 18/30] evm: simplify evm_xattr_acl_change() Christian Brauner
2022-09-27 22:56 ` Paul Moore
2022-09-28 13:31 ` Christian Brauner
2022-09-26 14:08 ` [PATCH v2 19/30] ksmbd: use vfs_remove_acl() Christian Brauner
2022-09-26 14:08 ` [PATCH v2 20/30] ecryptfs: implement get acl method Christian Brauner
2022-09-26 14:08 ` [PATCH v2 21/30] ecryptfs: implement set " Christian Brauner
2022-09-26 14:08 ` [PATCH v2 22/30] ovl: implement get " Christian Brauner
2022-09-26 14:08 ` [PATCH v2 23/30] ovl: implement set " Christian Brauner
2022-09-26 14:08 ` Christian Brauner [this message]
2022-09-26 14:08 ` [PATCH v2 25/30] xattr: use posix acl api Christian Brauner
2022-09-26 14:08 ` [PATCH v2 26/30] ecryptfs: use stub posix acl handlers Christian Brauner
2022-09-26 14:08 ` [PATCH v2 27/30] ovl: " Christian Brauner
2022-09-26 14:08 ` [PATCH v2 28/30] cifs: " Christian Brauner
2022-09-26 14:08 ` [PATCH v2 29/30] 9p: " Christian Brauner
2022-09-26 14:08 ` [PATCH v2 30/30] acl: remove a slew of now unused helpers Christian Brauner
2022-09-27 0:22 ` [PATCH v2 00/30] acl: add vfs posix acl api Casey Schaufler
2022-09-27 7:41 ` Christoph Hellwig
2022-09-27 7:59 ` Christian Brauner
2022-09-27 14:11 ` Casey Schaufler
2022-09-27 15:16 ` Seth Forshee
2022-09-27 15:55 ` Casey Schaufler
2022-09-27 23:24 ` Paul Moore
2022-09-27 23:37 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220926140827.142806-25-brauner@kernel.org \
--to=brauner@kernel.org \
--cc=amir73il@gmail.com \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=sforshee@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).