On Fri, Jul 08, 2022 at 11:01:34AM +0200, Christian Brauner wrote:
> During permission checking overlayfs will call
>
> ovl_permission()
> -> generic_permission()
> -> acl_permission_check()
> -> check_acl()
> -> get_acl()
> -> inode->i_op->get_acl() == ovl_get_acl()
> -> get_acl() /* on the underlying filesystem */
> -> inode->i_op->get_acl() == /*lower filesystem callback */
> -> posix_acl_permission()
>
> passing through the get_acl() request to the underlying filesystem.
>
> Before returning these values to the VFS we need to take the idmapping of the
> relevant layer into account and translate any ACL_{GROUP,USER} values according
> to the idmapped mount.
>
> We cannot alter the ACLs returned from the relevant layer directly as that
> would alter the cached values filesystem wide for the lower filesystem. Instead
> we can clone the ACLs and then apply the relevant idmapping of the layer.
>
> This is obviously only relevant when idmapped layers are used.
>
> Cc: Seth Forshee <sforshee@xxxxxxxxxxxxxxxx>
> Cc: Amir Goldstein <amir73il@xxxxxxxxx>
> Cc: Vivek Goyal <vgoyal@xxxxxxxxxx>
> Cc: Christoph Hellwig <hch@xxxxxx>
> Cc: Aleksa Sarai <cyphar@xxxxxxxxxx>
> Cc: Miklos Szeredi <mszeredi@xxxxxxxxxx>
> Cc: linux-unionfs@xxxxxxxxxxxxxxx
> Signed-off-by: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx>
Reviewed-by: Seth Forshee <sforshee@xxxxxxxxxxxxxxxx>
