ovl: use posix acl api

Now that posix acls have a proper api us it to copy them.

All filesystems that can serve as lower or upper layers for overlayfs
have gained support for the new posix acl api in previous patches.
So switch all internal overlayfs codepaths for copying posix acls to the
new posix acl api.

Acked-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>

diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index f436d8847f085a7e981b535e535ccba66b7f10ed..6e4e65ee050d6dacdd943780196d4b7f05d5a251 100644 (file)
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -44,6 +44,35 @@ static bool ovl_must_copy_xattr(const char *name)
               !strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN);
 }
 
+static int ovl_copy_acl(struct ovl_fs *ofs, const struct path *path,
+                       struct dentry *dentry, const char *acl_name)
+{
+       int err;
+       struct posix_acl *clone, *real_acl = NULL;
+
+       real_acl = ovl_get_acl_path(path, acl_name, false);
+       if (!real_acl)
+               return 0;
+
+       if (IS_ERR(real_acl)) {
+               err = PTR_ERR(real_acl);
+               if (err == -ENODATA || err == -EOPNOTSUPP)
+                       return 0;
+               return err;
+       }
+
+       clone = posix_acl_clone(real_acl, GFP_KERNEL);
+       posix_acl_release(real_acl); /* release original acl */
+       if (!clone)
+               return -ENOMEM;
+
+       err = ovl_do_set_acl(ofs, dentry, acl_name, clone);
+
+       /* release cloned acl */
+       posix_acl_release(clone);
+       return err;
+}
+
 int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct dentry *new)
 {
        struct dentry *old = oldpath->dentry;
@@ -93,6 +122,15 @@ int ovl_copy_xattr(struct super_block *sb, const struct path *oldpath, struct de
                        error = 0;
                        continue; /* Discard */
                }
+
+               if (is_posix_acl_xattr(name)) {
+                       error = ovl_copy_acl(OVL_FS(sb), oldpath, new, name);
+                       if (!error)
+                               continue;
+                       /* POSIX ACLs must be copied. */
+                       break;
+               }
+
 retry:
                size = ovl_do_getxattr(oldpath, name, value, value_size);
                if (size == -ERANGE)

diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 0e817ebce92c1ce2c60ef22fcfd237a77d3b2fe5..cbb569d5d234ae7557d9c6934c613344c587b477 100644 (file)
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -435,28 +435,12 @@ out:
 }
 
 static int ovl_set_upper_acl(struct ovl_fs *ofs, struct dentry *upperdentry,
-                            const char *name, const struct posix_acl *acl)
+                            const char *acl_name, struct posix_acl *acl)
 {
-       void *buffer;
-       size_t size;
-       int err;
-
        if (!IS_ENABLED(CONFIG_FS_POSIX_ACL) || !acl)
                return 0;
 
-       size = posix_acl_xattr_size(acl->a_count);
-       buffer = kmalloc(size, GFP_KERNEL);
-       if (!buffer)
-               return -ENOMEM;
-
-       err = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
-       if (err < 0)
-               goto out_free;
-
-       err = ovl_do_setxattr(ofs, upperdentry, name, buffer, size, XATTR_CREATE);
-out_free:
-       kfree(buffer);
-       return err;
+       return ovl_do_set_acl(ofs, upperdentry, acl_name, acl);
 }
 
 static int ovl_create_over_whiteout(struct dentry *dentry, struct inode *inode,

diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index 304a6dbb852a53f9063bf0bed13cd6b11cd89eca..77a77fd7a77bb0f4b817a32cfb2f9edbbd493fc7 100644 (file)
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -510,8 +510,8 @@ static void ovl_idmap_posix_acl(const struct inode *realinode,
  * Until we have made a decision allow this helper to take the @noperm
  * argument. We should hopefully be able to remove it soon.
  */
-static struct posix_acl *ovl_get_acl_path(const struct path *path,
-                                         const char *acl_name, bool noperm)
+struct posix_acl *ovl_get_acl_path(const struct path *path,
+                                  const char *acl_name, bool noperm)
 {
        struct posix_acl *real_acl, *clone;
        struct user_namespace *mnt_userns;

diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
index ab5061c9aa2aaec729d3c2dfaeba4ac6674635c7..480e6aabef27a8052bcf906738c05b0d1e24a799 100644 (file)
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -623,10 +623,18 @@ static inline struct posix_acl *ovl_get_acl(struct user_namespace *mnt_userns,
 }
 int ovl_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry,
                struct posix_acl *acl, int type);
+struct posix_acl *ovl_get_acl_path(const struct path *path,
+                                  const char *acl_name, bool noperm);
 #else
 #define ovl_get_inode_acl      NULL
 #define ovl_get_acl            NULL
 #define ovl_set_acl            NULL
+static inline struct posix_acl *ovl_get_acl_path(const struct path *path,
+                                                const char *acl_name,
+                                                bool noperm)
+{
+       return NULL;
+}
 #endif
 
 int ovl_update_time(struct inode *inode, struct timespec64 *ts, int flags);

diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index a29a8afe9b26226dd94423e75d3287294a18e25b..5c1b7971a9b3e8eccb74c51bd38cd2203bc171e8 100644 (file)
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -813,13 +813,11 @@ retry:
                 * allowed as upper are limited to "normal" ones, where checking
                 * for the above two errors is sufficient.
                 */
-               err = ovl_do_removexattr(ofs, work,
-                                        XATTR_NAME_POSIX_ACL_DEFAULT);
+               err = ovl_do_remove_acl(ofs, work, XATTR_NAME_POSIX_ACL_DEFAULT);
                if (err && err != -ENODATA && err != -EOPNOTSUPP)
                        goto out_dput;
 
-               err = ovl_do_removexattr(ofs, work,
-                                        XATTR_NAME_POSIX_ACL_ACCESS);
+               err = ovl_do_remove_acl(ofs, work, XATTR_NAME_POSIX_ACL_ACCESS);
                if (err && err != -ENODATA && err != -EOPNOTSUPP)
                        goto out_dput;
 

diff --git a/fs/xattr.c b/fs/xattr.c
index 31b5ac65ca34c33f1f95dece90f3bacdf5a91c74..9ed9eea4d1b9664f52a2840fef7401f865f86050 100644 (file)
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -299,12 +299,6 @@ out:
 }
 EXPORT_SYMBOL_GPL(__vfs_setxattr_locked);
 
-static inline bool is_posix_acl_xattr(const char *name)
-{
-       return (strcmp(name, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
-              (strcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT) == 0);
-}
-
 int
 vfs_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry,
             const char *name, const void *value, size_t size, int flags)

diff --git a/include/linux/xattr.h b/include/linux/xattr.h
index 4c379d23ec6e73b9590fba7c16e1152fb79376fd..c5238744bab980bd3c2f2e6eca2e668362cfb405 100644 (file)
--- a/include/linux/xattr.h
+++ b/include/linux/xattr.h
@@ -22,6 +22,12 @@
 struct inode;
 struct dentry;
 
+static inline bool is_posix_acl_xattr(const char *name)
+{
+       return (strcmp(name, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
+              (strcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT) == 0);
+}
+
 /*
  * struct xattr_handler: When @name is set, match attributes with exactly that
  * name.  When @prefix is set instead, match attributes with that prefix and