On 4/23/20 4:27 PM, Amir Goldstein wrote:
On Thu, Apr 23, 2020 at 10:06 AM JeffleXu <jefflexu@xxxxxxxxxxxxxxxxx> wrote:
It seems that MS_NOSEC flag would be problematic for network filesystems.
@Amir, would you please give some suggestions on if this would break the
permission control down when 'NFS export' feature enabled ?
I cannot think of anything specific to NFS export.
I think you are confusing NFS server with NFS client permissions.
I think network filesystems do not set SB_NOSEC, because client
may not have an coherent state of the xattr on server and other clients.
To reflect on overlayfs, I think overlayfs should inherit the SB_NOSEC
flag from upper fs, which is most likelihood will be set.
Makes sense. So maybe the following patch would be more appropriate. If
it is OK I will send a v2 patch then.
```
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -1052,6 +1052,10 @@ static int ovl_get_upper(struct super_block *sb,
struct ovl_fs *ofs,
upper_mnt->mnt_flags &= ~(MNT_NOATIME | MNT_NODIRATIME |
MNT_RELATIME);
ofs->upper_mnt = upper_mnt;
+ /* inherit SB_NOSEC flag from upperdir */
+ if (upper_mnt->mnt_sb->s_flags & SB_NOSEC)
+ sb->s_flags |= SB_NOSEC;
+
if (ovl_inuse_trylock(ofs->upper_mnt->mnt_root)) {
ofs->upperdir_locked = true;
} else {
```
The only filesystem I can think of that is used for upper fs without
SB_NOSEC is the recent feature of fuse as upper fs merged to
v5.7-rc1.
Thanks,
Amir.
