From: Seth Forshee <sforshee@digitalocean.com>
To: Christian Brauner <brauner@kernel.org>
Cc: Amir Goldstein <amir73il@gmail.com>,
Miklos Szeredi <mszeredi@redhat.com>,
Vivek Goyal <vgoyal@redhat.com>, Christoph Hellwig <hch@lst.de>,
Aleksa Sarai <cyphar@cyphar.com>,
linux-unionfs@vger.kernel.org
Subject: Re: [PATCH v2 3/3] ovl: handle idmappings in ovl_get_acl()
Date: Thu, 14 Jul 2022 16:37:40 -0500 [thread overview]
Message-ID: <YtCMpAM0OY78m5LK@do-x1extreme> (raw)
In-Reply-To: <20220708090134.385160-4-brauner@kernel.org>
On Fri, Jul 08, 2022 at 11:01:34AM +0200, Christian Brauner wrote:
> During permission checking overlayfs will call
>
> ovl_permission()
> -> generic_permission()
> -> acl_permission_check()
> -> check_acl()
> -> get_acl()
> -> inode->i_op->get_acl() == ovl_get_acl()
> -> get_acl() /* on the underlying filesystem */
> -> inode->i_op->get_acl() == /*lower filesystem callback */
> -> posix_acl_permission()
>
> passing through the get_acl() request to the underlying filesystem.
>
> Before returning these values to the VFS we need to take the idmapping of the
> relevant layer into account and translate any ACL_{GROUP,USER} values according
> to the idmapped mount.
>
> We cannot alter the ACLs returned from the relevant layer directly as that
> would alter the cached values filesystem wide for the lower filesystem. Instead
> we can clone the ACLs and then apply the relevant idmapping of the layer.
>
> This is obviously only relevant when idmapped layers are used.
>
> Cc: Seth Forshee <sforshee@digitalocean.com>
> Cc: Amir Goldstein <amir73il@gmail.com>
> Cc: Vivek Goyal <vgoyal@redhat.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Aleksa Sarai <cyphar@cyphar.com>
> Cc: Miklos Szeredi <mszeredi@redhat.com>
> Cc: linux-unionfs@vger.kernel.org
> Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Reviewed-by: Seth Forshee <sforshee@digitalocean.com>
next prev parent reply other threads:[~2022-07-14 21:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-08 9:01 [PATCH v2 0/3] ovl: acl fixes Christian Brauner
2022-07-08 9:01 ` [PATCH v2 1/3] acl: move idmapped mount fixup into vfs_{g,s}etxattr() Christian Brauner
2022-07-14 21:36 ` Seth Forshee
2022-07-08 9:01 ` [PATCH v2 2/3] acl: make posix_acl_clone() available to overlayfs Christian Brauner
2022-07-14 21:36 ` Seth Forshee
2022-07-08 9:01 ` [PATCH v2 3/3] ovl: handle idmappings in ovl_get_acl() Christian Brauner
2022-07-14 21:37 ` Seth Forshee [this message]
2022-07-13 10:18 ` [PATCH v2 0/3] ovl: acl fixes Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YtCMpAM0OY78m5LK@do-x1extreme \
--to=sforshee@digitalocean.com \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=cyphar@cyphar.com \
--cc=hch@lst.de \
--cc=linux-unionfs@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox