On Fri, Aug 16, 2024 at 8:33 AM Hongbo Li <lihongbo22@xxxxxxxxxx> wrote: > > Since in_group_or_capable has been exported, we can use > it to simplify the code when check group and capable. > > Signed-off-by: Hongbo Li <lihongbo22@xxxxxxxxxx> > --- > fs/overlayfs/inode.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c > index 35fd3e3e1778..a0692595a5d6 100644 > --- a/fs/overlayfs/inode.c > +++ b/fs/overlayfs/inode.c > @@ -554,8 +554,8 @@ int ovl_set_acl(struct mnt_idmap *idmap, struct dentry *dentry, > * be done with mounter's capabilities and so that won't do it for us). > */ > if (unlikely(inode->i_mode & S_ISGID) && type == ACL_TYPE_ACCESS && > - !in_group_p(inode->i_gid) && > - !capable_wrt_inode_uidgid(&nop_mnt_idmap, inode, CAP_FSETID)) { > + !in_group_or_capable(&nop_mnt_idmap, inode, > + i_gid_into_vfsgid(&nop_mnt_idmap, inode))) { > struct iattr iattr = { .ia_valid = ATTR_KILL_SGID }; > > err = ovl_setattr(&nop_mnt_idmap, dentry, &iattr); I will need Christian to comment on this patch, but it feels to me like the checks in ovl should mimic the checks in posix_acl_update_mode(), so it feels odd to update one without the other. Thanks, Amir.