On Fri, Jul 08, 2022 at 03:54:09PM +0200, Miklos Szeredi wrote:
> On Thu, 7 Jul 2022 at 12:33, Christian Brauner <brauner@xxxxxxxxxx> wrote:
> >
> > On Thu, Jul 07, 2022 at 09:58:47AM +0200, Miklos Szeredi wrote:
> > > On Wed, 6 Jul 2022 at 15:59, Christian Brauner <brauner@xxxxxxxxxx> wrote:
>
> > > However I don't think clearing SB_POSIXACL will do that.
> > >
> > > Maybe denying the operation in ovl_posix_acl_xattr_{get,set}() is the
> > > right way to achieve the above?
> >
> > Hm, removing SB_POSIXACL in my tests fixed that completely. But we can
> > add an additional check:
>
> Strange... In my tests just clearing SB_POSIXACL will still let
> overlayfs get and set ACL's.
No, you were right. I was only checking ->get_acl() codepaths, not
directly {g,s}etxattr() so my bad!
>
> >
> > if (!IS_POSIXACL(inode))
> > return -EOPNOTSUPP;
> >
> > to both helpers additionally? Can you do that when you apply or do you
> > want me to send a version with that added?
>
> Added, also simplified ovl_has_idmapped_layers().
>
> Pushed to #overlayfs-next and will send to Linus next week.
Thank you!
Christian
