On 2021-01-19 17:22:03, Miklos Szeredi wrote: > Prior to commit 7c03e2cda4a5 ("vfs: move cap_convert_nscap() call into > vfs_setxattr()") the translation of nscap->rootid did not take stacked > filesystems (overlayfs and ecryptfs) into account. > > That patch fixed the overlay case, but made the ecryptfs case worse. Thanks for sending a fix! I know that you don't have an eCryptfs setup to test with but I'm at a loss about how to test this from the userns/fscaps side of things. Do you have a sequence of unshare/setcap/getcap commands that I can run on a file inside of an eCryptfs mount to verify that the bug exists after 7c03e2cda4a5 and then again to verify that this patch fixes the bug? Tyler > > Restore old the behavior for ecryptfs that existed before the overlayfs > fix. This does not fix ecryptfs's handling of complex user namespace > setups, but it does make sure existing setups don't regress. > > Reported-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> > Cc: Tyler Hicks <code@xxxxxxxxxxx> > Fixes: 7c03e2cda4a5 ("vfs: move cap_convert_nscap() call into vfs_setxattr()") > Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxxxxx> > --- > fs/ecryptfs/inode.c | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c > index e23752d9a79f..58d0f7187997 100644 > --- a/fs/ecryptfs/inode.c > +++ b/fs/ecryptfs/inode.c > @@ -1016,15 +1016,19 @@ ecryptfs_setxattr(struct dentry *dentry, struct inode *inode, > { > int rc; > struct dentry *lower_dentry; > + struct inode *lower_inode; > > lower_dentry = ecryptfs_dentry_to_lower(dentry); > - if (!(d_inode(lower_dentry)->i_opflags & IOP_XATTR)) { > + lower_inode = d_inode(lower_dentry); > + if (!(lower_inode->i_opflags & IOP_XATTR)) { > rc = -EOPNOTSUPP; > goto out; > } > - rc = vfs_setxattr(lower_dentry, name, value, size, flags); > + inode_lock(lower_inode); > + rc = __vfs_setxattr_locked(lower_dentry, name, value, size, flags, NULL); > + inode_unlock(lower_inode); > if (!rc && inode) > - fsstack_copy_attr_all(inode, d_inode(lower_dentry)); > + fsstack_copy_attr_all(inode, lower_inode); > out: > return rc; > } > -- > 2.26.2 >