On Fri, Jul 08, 2022 at 03:54:09PM +0200, Miklos Szeredi wrote: > On Thu, 7 Jul 2022 at 12:33, Christian Brauner <brauner@xxxxxxxxxx> wrote: > > > > On Thu, Jul 07, 2022 at 09:58:47AM +0200, Miklos Szeredi wrote: > > > On Wed, 6 Jul 2022 at 15:59, Christian Brauner <brauner@xxxxxxxxxx> wrote: > > > > However I don't think clearing SB_POSIXACL will do that. > > > > > > Maybe denying the operation in ovl_posix_acl_xattr_{get,set}() is the > > > right way to achieve the above? > > > > Hm, removing SB_POSIXACL in my tests fixed that completely. But we can > > add an additional check: > > Strange... In my tests just clearing SB_POSIXACL will still let > overlayfs get and set ACL's. No, you were right. I was only checking ->get_acl() codepaths, not directly {g,s}etxattr() so my bad! > > > > > if (!IS_POSIXACL(inode)) > > return -EOPNOTSUPP; > > > > to both helpers additionally? Can you do that when you apply or do you > > want me to send a version with that added? > > Added, also simplified ovl_has_idmapped_layers(). > > Pushed to #overlayfs-next and will send to Linus next week. Thank you! Christian