From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out03.mta.xmission.com ([166.70.13.233]:37192 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750802AbeBVTTC (ORCPT ); Thu, 22 Feb 2018 14:19:02 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Miklos Szeredi Cc: lkml , Linux Containers , linux-fsdevel , Alban Crequy , Seth Forshee , Sargun Dhillon , Dongsu Park , "Serge E. Hallyn" References: <878tbmf5vl.fsf@xmission.com> <20180221202908.17258-4-ebiederm@xmission.com> Date: Thu, 22 Feb 2018 13:18:33 -0600 In-Reply-To: (Miklos Szeredi's message of "Thu, 22 Feb 2018 12:40:18 +0100") Message-ID: <87inao6dfa.fsf@xmission.com> MIME-Version: 1.0 Content-Type: text/plain Subject: Re: [PATCH v6 4/5] fuse: Ensure posix acls are translated outside of init_user_ns Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Miklos Szeredi writes: > On Wed, Feb 21, 2018 at 9:29 PM, Eric W. Biederman > wrote: >> Ensure the translation happens by failing to read or write >> posix acls when the filesystem has not indicated it supports >> posix acls. > > For the first iteration this is fine, but we could convert the raw > xattrs as well, if we later want to, right? I will say maybe. This is tricky. The code would not be too hard, and the function to do the work posix_acl_fix_xattr_userns already exists in fs/posix_acl.c I don't actually expect that to work longterm. I expect the direction the kernel internals are moving is that all filesystems that implement posix acls will be expected to implement .get_acl and .set_acl. I would have to reread the old thread that got us to this point with posix acls before I could really understand the backwards compatible fuse use case, and I would have to reread the rest of the acl processing in the kernel before I could recall exactly what makes sense. If there was an obvious way to whitelist xattrs that fuse can support for user namespaces I think I would go for that. Just to avoid future problems with future xattrs. Eric