Re: [PATCH] fuse: fixes after adapting to new posix acl api

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 24 Jan 2023 at 15:25, Christian Brauner <brauner@xxxxxxxxxx> wrote:
>
> On Tue, Jan 24, 2023 at 03:07:18PM +0100, Miklos Szeredi wrote:
> > On Fri, 20 Jan 2023 at 12:55, Christian Brauner <brauner@xxxxxxxxxx> wrote:
> > >
> > > This cycle we ported all filesystems to the new posix acl api. While
> > > looking at further simplifications in this area to remove the last
> > > remnants of the generic dummy posix acl handlers we realized that we
> > > regressed fuse daemons that don't set FUSE_POSIX_ACL but still make use
> > > of posix acls.
> > >
> > > With the change to a dedicated posix acl api interacting with posix acls
> > > doesn't go through the old xattr codepaths anymore and instead only
> > > relies the get acl and set acl inode operations.
> > >
> > > Before this change fuse daemons that don't set FUSE_POSIX_ACL were able
> > > to get and set posix acl albeit with two caveats. First, that posix acls
> > > aren't cached. And second, that they aren't used for permission checking
> > > in the vfs.
> > >
> > > We regressed that use-case as we currently refuse to retrieve any posix
> > > acls if they aren't enabled via FUSE_POSIX_ACL. So older fuse daemons
> > > would see a change in behavior.
> >
> > This originates commit e45b2546e23c ("fuse: Ensure posix acls are
> > translated outside of init_user_ns") which, disables set/get acl in
> > the problematic case instead of translating them.
> >
> > Not sure if there's a real use case or it's completely theoretical.
> > Does anyone know?
>
> After 4+ years without anyone screaming for non-FUSE_POSIX_ACL daemons
> to be able set/get posix acls without permission checking in the vfs
> inside a userns we can continue not enabling this. Even if we now
> actually can.

Yes, that's my thinking as well.

> >
> > > If you're fine with this approach then could you please route this to
> > > Linus during v6.2 still? If you prefer I do it I'm happy to as well.
> >
> > I don't think I have anything pending for v6.2 in fuse, but if you
> > don't either I can handle the routing.
>
> I don't but if you'd be fine with me taking it it would make my life
> easier for another series.

Feel free to take it if that's better for you.

Thanks,
Miklos
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux