Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp30364pxb; Tue, 19 Jan 2021 23:56:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJxLBJsMR+s9QkSaY3M8/9a9lLfqk0Y3trRosj1KwA5xtdjU2/pKbBq1Fx+LA83KWfSfXScF X-Received: by 2002:a17:906:2617:: with SMTP id h23mr5456431ejc.168.1611129399904; Tue, 19 Jan 2021 23:56:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611129399; cv=none; d=google.com; s=arc-20160816; b=dAH1M65ncNV3aZZViVW9+CfivTFmjY36yMDnXjELRiD3Dsl/lwEallvogQKj23RsZZ cTK9qVbHiwFSNZ0GlwFD1Ax1vMQwPjPS9g1RSeJ0GTPCd/XyFnsewXVOyOk5KlcFgfbl d8eVClouO2KU0sj9oL+ZPkaJJ9FipuZnCSN3KL+Tvg1epOWUfW3LAaNV06BBz5+dO3lf D7vKUfYty5MDtGGnIe8gq7jnIQ/EwvdoSVQcch3MplLUgDDsBc+oYQ+2UlWDERrJhkr1 ykIyBuzXIWsc2Pda3eY2jGI7M5i9njaQ/ZLkLnDMQMHIpSk4ZflJ3kL9SPlKP9geQMxU odhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=uNdd7I2hNKAtcfKQGi3GUg+MhbxssvCuRmdUQZa83G4=; b=E6igq3j4ruL5oz1sdP67lcplw+h+Zd+gJ1hMDflJ8dBRF/+Z942vAcl2F6f3je7TtK w7h4gJWpLFO1zpv+UKr3Mea6r5/n8DOl8iF2m3rBLgSUqbGVS/RPlSRJNHQtMfmU9kzD osMKsOu8ujYKcLhn/SFHryTJdgzoB4MDjMsN18RPqM1GUQSkhVXg+z1WGhvj+6VUd86J 9WIulGa5GVsECnmFcX/SPa3Tr+MKkHDYOkaqTTiei0dGnim1zHEzsb5AXYmiXlqpPP8S gKBZzf9BJbC4Slwlmc/Rb/+zNkesZ1bsFrk298+U4O1xOLr00ncKHK9xjvHxZxGLajW0 swSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=Ylwu8MaI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r21si451595ejo.415.2021.01.19.23.56.16; Tue, 19 Jan 2021 23:56:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=Ylwu8MaI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728909AbhATHx4 (ORCPT + 99 others); Wed, 20 Jan 2021 02:53:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52586 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729693AbhATHxW (ORCPT ); Wed, 20 Jan 2021 02:53:22 -0500 Received: from mail-ua1-x933.google.com (mail-ua1-x933.google.com [IPv6:2607:f8b0:4864:20::933]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 417E5C0613CF for ; Tue, 19 Jan 2021 23:52:39 -0800 (PST) Received: by mail-ua1-x933.google.com with SMTP id d3so5079972uap.4 for ; Tue, 19 Jan 2021 23:52:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uNdd7I2hNKAtcfKQGi3GUg+MhbxssvCuRmdUQZa83G4=; b=Ylwu8MaIfcMtXeRHHcdwBLnRoutC82UYXqkJIBtOivUEMmhWi5MIahULll+FlWnkT7 JmPX49Txh2CBicmCu1r/uHDoOgGt43Pt6egifpvlG0N9WkQ4sd9dWwhT2XqzPCrYxuFJ lvaRyu3cL5u3PMTRSekUykObI3rpbo85ziBNs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uNdd7I2hNKAtcfKQGi3GUg+MhbxssvCuRmdUQZa83G4=; b=Dk2/W3Sxr5NLg+XBfu9lH3B9AcEP7IZ0jUPYCBW9XucvA0F3fZGe5Y2IY3yWCtiemP +eQ6K7k8yqRr4fMpLHbOZh1WTh9nhWRXIUOvHrj3YCju+QUuNXEwjIZsxZF6vq0hyoW2 XApwYXgKgV97+CSsNyz+5/3KdRC/9g3OUxNTuw+3JCKwhZzl5hgoV3HmJSOyZKJwjnf2 xdoQx7X3AbUfJIYkUL7lKle2YEmWF7yWUFxVsoChy/+BQYoNW1pLGgmMENEZZ6Sst6Pz K6LXjoGScwblPGY0yUJ9DZVcLxGLWAElTAS/gyQ/3fUWX2A5krxpT4VlsFiy9TCakjKw cmKQ== X-Gm-Message-State: AOAM533YOv0CVyU7B0y9mfoTLd77G8bQhMemoPPanQ6F7GoP/HyJpRkx DnuTIYxquFGwWjEDMsFr2/UqrTgzH2nTYGnzuKksRQ== X-Received: by 2002:ab0:7296:: with SMTP id w22mr5234322uao.13.1611129158535; Tue, 19 Jan 2021 23:52:38 -0800 (PST) MIME-Version: 1.0 References: <20210119162204.2081137-1-mszeredi@redhat.com> <20210119162204.2081137-2-mszeredi@redhat.com> <87a6t4ab7h.fsf@x220.int.ebiederm.org> In-Reply-To: <87a6t4ab7h.fsf@x220.int.ebiederm.org> From: Miklos Szeredi Date: Wed, 20 Jan 2021 08:52:27 +0100 Message-ID: Subject: Re: [PATCH 1/2] ecryptfs: fix uid translation for setxattr on security.capability To: "Eric W. Biederman" Cc: Miklos Szeredi , linux-fsdevel@vger.kernel.org, overlayfs , LSM , linux-kernel@vger.kernel.org, "Serge E . Hallyn" , Tyler Hicks Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 19, 2021 at 10:11 PM Eric W. Biederman wrote: > > Miklos Szeredi writes: > > > Prior to commit 7c03e2cda4a5 ("vfs: move cap_convert_nscap() call into > > vfs_setxattr()") the translation of nscap->rootid did not take stacked > > filesystems (overlayfs and ecryptfs) into account. > > > > That patch fixed the overlay case, but made the ecryptfs case worse. > > > > Restore old the behavior for ecryptfs that existed before the overlayfs > > fix. This does not fix ecryptfs's handling of complex user namespace > > setups, but it does make sure existing setups don't regress. > > Today vfs_setxattr handles handles a delegated_inode and breaking > leases. Code that is enabled with CONFIG_FILE_LOCKING. So unless > I am missing something this introduces a different regression into > ecryptfs. This is in line with all the other cases of ecryptfs passing NULL as delegated inode. I'll defer this to the maintainer of ecryptfs. Thanks, Miklos