Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp721235rdg;
        Wed, 11 Oct 2023 03:51:56 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFTfvggkDDhvxpjbH7nHon42W6Ap9ngfI033yZ/2Dyut1nXC5wMZZrDwj16BCfndd/SNFGM
X-Received: by 2002:a05:6358:4414:b0:145:6fdf:9c86 with SMTP id z20-20020a056358441400b001456fdf9c86mr19217920rwc.13.1697021516165;
        Wed, 11 Oct 2023 03:51:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697021516; cv=none;
        d=google.com; s=arc-20160816;
        b=N3Nz0xVbghvI3xy4a8+Qtk/GC7VYLcTSyOuVAwmJ3AIgncCaUK1m7HrfmQ/ZqnUbPl
         jOEIwdqBfJvvk6CgMbm/bU8/jo8pDagexhnUFkbJLwCduKNlKJoiMJU/OXVb5UEkUIGb
         xDjnQ42jIpegIT5IVIUIOMUVste0YcLreJrJ7E9F9HMzuvpnP9O7pP12t4yVJg88d3dC
         sFvtxIvxZ8/zqWhzrvmG20nX8nZ4p5yVBMh3eDYk+nAD23VygLhIwzs/xSHjOYRe+81A
         Zsq18haqrOpcF5N67f6b4DLNO0MbS1doACfRLUosuq7MayL1rCPoJ67SUD9cStOWgnce
         vTPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=OA4VMlVoeOMyOhtKxhGjb50TdmzbdywYsQIBV+11vPc=;
        fh=tHr6/26MAur2EXBfKQy6JQjFlLylcfz2kCXZkUPzRPQ=;
        b=ZnGAHyGXwqz2SPnV8mMb3ZjZRUE2bDG9f5VzNVIVjtDjckdmt7lso8+caAXwaalm5M
         zidYAjg0KrZUD3gkWAKWgxQEwfw/YbmI0V+QdxLfY9UHT2/8hpDlZI0UBMV2Dy3XKNWH
         Itr+9AU7F9kouVxjdjzbhhL1I7bIyKaWDEermzaKUvZ1pqAF2yxn37rK0F+h8PYPKLaW
         l0+seb//hnhxVYl7LKu1cGGSX1Iqf63DAOcWA4DenSRMSTDmO3C7iISZQBdzx0BKnQHu
         37o6VyRBBEkmBWFjNUw+G1x1BtpVMPbmEuYMhjy9OwLKOI5LvI8uNgnb7ExvyQluo647
         2qmQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ionos.com header.s=google header.b=CNQBmY7q;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ionos.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32])
        by mx.google.com with ESMTPS id dw8-20020a056a00368800b0069f456b74e9si9471662pfb.292.2023.10.11.03.51.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Oct 2023 03:51:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ionos.com header.s=google header.b=CNQBmY7q;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ionos.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by agentk.vger.email (Postfix) with ESMTP id 96B57811905D;
	Wed, 11 Oct 2023 03:51:53 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231818AbjJKKva (ORCPT <rfc822;tarbal@gmail.com> + 99 others);
        Wed, 11 Oct 2023 06:51:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43788 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231934AbjJKKv2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Oct 2023 06:51:28 -0400
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E41D294
        for <linux-kernel@vger.kernel.org>; Wed, 11 Oct 2023 03:51:25 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2bffc55af02so79555041fa.2
        for <linux-kernel@vger.kernel.org>; Wed, 11 Oct 2023 03:51:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ionos.com; s=google; t=1697021484; x=1697626284; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=OA4VMlVoeOMyOhtKxhGjb50TdmzbdywYsQIBV+11vPc=;
        b=CNQBmY7qVXfQiwZDv4Qq3U01WJ5aeRtlPLzVGnPyLd/BiVFabbJ+TeX7uyzE7frO3Y
         jFjcZTBKKHZhAJfisWg9DqRRYkVYtT0xnAXOQqd4H/pULwY93fxAfrHFG0IYjlg7lfXd
         M6fpqAFJlDI05LovRXR28B7uqsyW0IN+JIspl+RUDl4c2vxgw+BbQCyaXxrvaXhfCjkK
         tOgYT7KgKVUd7DcKqCoSAvhKfxoMe/TN2VfvS6/h2aQjp//kGDBX+EucLdnQJz0/yI5l
         xJEQVJN4zbYfC9b1c32lFEjAPIe3DtE56kQkq/G0KOMsKyDQFziZ1iLsuCLDK8tmo4DO
         WTUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1697021484; x=1697626284;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=OA4VMlVoeOMyOhtKxhGjb50TdmzbdywYsQIBV+11vPc=;
        b=Og9bfk5j1u7VqROfrjMjRiOlHl4rBf66Te72XdgnlRs5J5Ki3WYGfwh/CvrgTkZl7j
         99RVuJSf4byTH4fDzPRrwxa9D9621yzt10nNNls/A5x93Tey7kr+DFPaFM+SGjo/wuuj
         H/JUPg2NSbhq76qBtxASo6oFHXnIpnVorE7qdj+u0PWKt82Y1fycIlR5daVXQW/vBmpq
         YjbyzfyQa++2CKZulfR2l3wsuqzstLfiEoL00YOTBkyS1b7xMMRlysxynBLanzBissFI
         t1hWYnweNBTEFIB7UGlRSApvXxskI9EzQywINaYh9kKDCK3ToSMMO45pfjDVQe4WzQDQ
         6RIQ==
X-Gm-Message-State: AOJu0YzU4tR/HLXMPNMwCZPJI4mTSX6x0ilvCTuuT9QVbYrSr9CLaE73
        cpX9CfBRSb3AZjspReoGxaw9te2aXzNgsPCdsuPxyw==
X-Received: by 2002:a2e:3309:0:b0:2bf:fb49:6619 with SMTP id
 d9-20020a2e3309000000b002bffb496619mr16986300ljc.23.1697021484028; Wed, 11
 Oct 2023 03:51:24 -0700 (PDT)
MIME-Version: 1.0
References: <69dda7be-d7c8-401f-89f3-7a5ca5550e2f@oracle.com>
 <20231009144340.418904-1-max.kellermann@ionos.com> <20231010131125.3uyfkqbcetfcqsve@quack3>
 <CAKPOu+-nC2bQTZYL0XTzJL6Tx4Pi1gLfNWCjU2Qz1f_5CbJc1w@mail.gmail.com> <20231011100541.sfn3prgtmp7hk2oj@quack3>
In-Reply-To: <20231011100541.sfn3prgtmp7hk2oj@quack3>
From:   Max Kellermann <max.kellermann@ionos.com>
Date:   Wed, 11 Oct 2023 12:51:12 +0200
Message-ID: <CAKPOu+_xdFALt9sgdd5w66Ab6KTqiy8+Z0Yd3Ss4+92jh8nCwg@mail.gmail.com>
Subject: Re: [PATCH v2] fs/{posix_acl,ext2,jfs,ceph}: apply umask if ACL
 support is disabled
To:     Jan Kara <jack@suse.cz>
Cc:     Xiubo Li <xiubli@redhat.com>, Ilya Dryomov <idryomov@gmail.com>,
        Jeff Layton <jlayton@kernel.org>, Jan Kara <jack@suse.com>,
        Dave Kleikamp <shaggy@kernel.org>, ceph-devel@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-ext4@vger.kernel.org,
        jfs-discussion@lists.sourceforge.net,
        Christian Brauner <brauner@kernel.org>,
        Yang Xu <xuyang2018.jy@fujitsu.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=2.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Wed, 11 Oct 2023 03:51:53 -0700 (PDT)
X-Spam-Level: **

On Wed, Oct 11, 2023 at 12:05=E2=80=AFPM Jan Kara <jack@suse.cz> wrote:
> So I've checked some more and the kernel doc comments before
> mode_strip_umask() and vfs_prepare_mode() make it pretty obvious - all
> paths creating new inodes must be calling vfs_prepare_mode(). As a result
> mode_strip_umask() which handles umask stripping for filesystems not
> supporting posix ACLs. For filesystems that do support ACLs,
> posix_acl_create() must be call and that handles umask stripping. So your
> fix should not be needed. CCed some relevant people for confirmation.

Thanks, Jan. Do you think the documentation is obvious enough, or
shall I look around and try to improve the documentation? I'm not a FS
expert, so it may be just my fault that it confused me.... I just
analyzed the O_TMPFILE vulnerability four years ago (because it was
reported to me as the maintainer of a userspace software).

Apart from my doubts that this API contract is too error prone, I'm
not quite sure if all filesystems really implement it properly.

For example, overlayfs unconditionally sets SB_POSIXACL, even if the
kernel has no ACL support. Would this ignore the umask? I'm not sure,
overlayfs is a special beast.
Then there's orangefs which allows setting the "acl" mount option (and
thus SB_POSIXACL) even if the kernel has no ACL support. Same for gfs2
and maybe cifs, maybe more, I didn't check them all.

The "mainstream" filesystems like ext4 seem to be implemented
properly, though this is still too fragile for my taste... ext4 has
the SB_POSIXACL code even if there's no kernel ACL support, but it is
not reachable because EXT4_MOUNT_POSIX_ACL cannot be set from
userspace in that case. The code looks suspicious, but is okay in the
end - still not my taste.

I see so much redundant code regarding the "acl" mount option in all
filesystems. I believe the API should be designed in a way that it is
safe-by-default, and shouldn't need very careful considerations in
each and every filesystem, or else all filesystems repeat the same
mistakes until the last one gets fixed.

Max