Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1934940rwd; Wed, 17 May 2023 03:34:42 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5VkYIjVb+TW7GDxdwCgWacBGRUHu8AwW/NMbiYCY9H2+VJf0hozXfUQt1zgjX/Rs6RFH4T X-Received: by 2002:a17:90a:a381:b0:24d:d377:d1 with SMTP id x1-20020a17090aa38100b0024dd37700d1mr42108159pjp.45.1684319681962; Wed, 17 May 2023 03:34:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684319681; cv=none; d=google.com; s=arc-20160816; b=wXNx5ojV497FYKjWyE1Bjjz8Y8aRohEOS+I72OpiN6vxwyVqDGX0ImEugJjlOD2G5e whkzuBVpuTnwFFFEQhvx28s2lfSrF8Gnbu7DIu05yzpqZQzGDTZq86d/pq6llDIgJtlT 5IxcNbXANMT8nh1eeaa+4G/lsBqstx0p+hSljajMKmLeUPY3TF3aNYoDqujXio/y1+uu m1GHhObG66HFrFLE9lc19tuF0wTmGCWjGlSnc9xm+jluzDY8BSQbKEL2IkrWedcubn6J b94Wux2U6sBDYm/9lNSFqI2FoinwQWZoN8OUGL+XJH9JEJ9H11gtzpZyKIPMaSbOZjSi rR1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=9eAGS5h/Cbev6A9r22A2ik5uolPSkUAqX626UYtBI+8=; b=uWKBlni8dlA3GpJvrRhGifCApKQwNbRhGTuolDrgt2IBcP04VponjaQcrPvrGJbIzf nH79bl7fUwotNDSnIxIY1i4b0KN3wkdcF8K8vokaijEXGqFRTx2vSGRfk0YEIFkTHpRq uqPj/OzYeMNcvHImfBUemQPhmZhX7VFdXLn89EddG6i4wrBfoeI+ASE6SiUnwKCNIyHF LT6F6q+41CZ0X9oa+L9rHqVefNNRqI8JbfZ5Nd1dn/uIObGwzog5KvmzdpjvVmoo1z3H mlVry5WfAdp7BT3Qu5nGM0iXl+Q/UspUMRHoLsS0BH5Ki9x+WAjaDe9XkqmVaRtzsRdG fKbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=CEy1ZoOW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w27-20020a637b1b000000b00518b499da59si20854206pgc.901.2023.05.17.03.34.27; Wed, 17 May 2023 03:34:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=CEy1ZoOW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230063AbjEQJ6r (ORCPT + 99 others); Wed, 17 May 2023 05:58:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33820 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229456AbjEQJ6q (ORCPT ); Wed, 17 May 2023 05:58:46 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A72BA468B; Wed, 17 May 2023 02:58:40 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3C7A263EE1; Wed, 17 May 2023 09:58:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 09549C4339B; Wed, 17 May 2023 09:58:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1684317519; bh=mdvgMjxEgSNhZgKM2X2vQGsXllXF+XTarnc4LgRl04A=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=CEy1ZoOW04ULFl1Snt/ohfPj+PnDo19paj2EgjxdshfncUxd7cYJIil/dimFsQ0gQ 7m0XgJW13m17cReDatsQWKzxq6jssyN9ULt54QqHqseh7OzWPSBx3oXCk+QopU8RPw jWsL4lbs9QChO5Xr7DP9HRO9mQVRoWG11xq2zTjhPnOQ6Ah45+GRafCwU13/oxXnkw PLJ+eDqdLgm8MMXEiMNvrdMWBTvUDKf6rxWlRIAFnZ7YZP2WBANs5t4qTO/rBBoUQj spk8hrWBr/aiavH0SAVXgj1PKHBGqxUo27yG0SpBblF+QQSr7JIek6ExezG9X//3D1 CkygKMcyjUXbA== Message-ID: <579da980fa02682522e7e4ada5be36fc972ea838.camel@kernel.org> Subject: Re: A pass-through support for NFSv4 style ACL From: Jeff Layton To: Christian Brauner Cc: Ondrej Valousek , "trondmy@hammerspace.com" , "linux-fsdevel@vger.kernel.org" , "linux-kernel@vger.kernel.org" , Andreas Gruenbacher Date: Wed, 17 May 2023 05:58:37 -0400 In-Reply-To: <20230517-herstellen-zitat-21eeccd36558@brauner> References: <20230516124655.82283-1-jlayton@kernel.org> <20230516-notorisch-geblickt-6b591fbd77c1@brauner> <20230517-herstellen-zitat-21eeccd36558@brauner> Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.1 (3.48.1-1.fc38) MIME-Version: 1.0 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2023-05-17 at 09:42 +0200, Christian Brauner wrote: > On Tue, May 16, 2023 at 05:22:30PM -0400, Jeff Layton wrote: > > On Tue, 2023-05-16 at 20:50 +0000, Ondrej Valousek wrote: > > >=20 > > > Hi Christian, > > >=20 > > > Would it be possible to patch kernel the way it accepts native (i.e n= o > > > conversion to Posix ACL) NFSv4 style ACLs for filesystems that can > > > support them? > > > I.E. OpenZFS, NTFS, could be also interesting for Microsofts WSL2=A0 = or > > > Samba right? > > >=20 > > > I mean, I am not trying to push richacl again knowing they have been > > > rejected, but just NFS4 style Acls as they are so similar to Windows > > > ACLs. > > >=20 > >=20 > > Erm, except you kind of are if you want to do this. I don't see how thi= s > > idea works unless you resurrect RichACLs or something like them. >=20 > I have no idea about the original flame war that ended RichACLs in > additition to having no clear clue what RichACLs are supposed to > achieve. My current knowledge extends to "Christoph didn't like them". >=20 > >=20 > > > The idea here would be that we could > > > - mount NTFS/ZFS filesystem and inspect ACLs using existing tools > > > (nfs4_getacl) > > > - share with NFSv4 in a pass through mode > > > - in Windows WSL2 we could inspect local filesystem ACLs using the > > > same tools > > >=20 > > > Does it make any sense or it would require lot of changes to VFS > > > subsystem or its a nonsense altogether? >=20 > Yes, very likely. >=20 > We'd either have to change the current inode operations for getting and > setting acls to take a new struct acl that can contain either posix acls > or rich acls or add new ones just for these new fangled ones. >=20 > Choosing the first - more sensible - of these two options will mean > updating each filesystem's acl inode operations. Might turn out to not > be invasive code as it might boil down to struct posix_acl *acl =3D > acl->posix at the beginning of each method but still. >=20 > Then we'd probably also need to: >=20 > * handle permission checking (see Jeff's comment below) > * change/update the ACL caching layer > * if the past hast taught me anything then overlayfs would probably need > some additional logic as well >=20 Yeah, it's a significant project. > > >=20 > >=20 > > Eventually you have to actually enforce the ACL. Do NTFS/ZFS already > > have code to do this? If not then someone would need to write it. > >=20 > > Also windows and nfs acls do have some differences, so you'll need a > > translation layer too. >=20 > Jeff, I know you have some knowledge in this area you probably are > better equipped to judge the sanity and feasibility of this. I know a bit, but Andreas (cc'ed) is the undisputed expert. If you're looking to resurrect this effort, then you should definitely loop him in. --=20 Jeff Layton