Received: by 2002:a05:7412:798b:b0:fc:a2b0:25d7 with SMTP id fb11csp825746rdb;
        Fri, 23 Feb 2024 00:39:24 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCXvxbB++zqfl5PnI8hJjesOSCJafbyXYJkUbMx27V+Fukj8XvOgl7yZIiNRlyKhXD/diKvuGwvMTBO6C0pUprvHsk5m2ZRqjJFzLlbmOw==
X-Google-Smtp-Source: AGHT+IEk4VoWmiecRb2dHTnkAa8BMqTuaaE1bkTLw4bWEayEaTbQVbbN26fWw3YirHRD+Up+mh7+
X-Received: by 2002:a05:6214:4009:b0:68f:9957:5c4d with SMTP id kd9-20020a056214400900b0068f99575c4dmr1647037qvb.21.1708677564437;
        Fri, 23 Feb 2024 00:39:24 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708677564; cv=pass;
        d=google.com; s=arc-20160816;
        b=v+WMZEmz0EdNvKKSJyC65AW5L49KSUFy1/BjipQT1u8fli24Z5Tk3T9kscgiOwweIr
         xCsg/Pj60OPQWAvSSP0mFUA+E2y3ZRZc1jqQRdtJC6EbTcIpyzn54tyyeCAFyQKZvraH
         p6x86aFEYgMa7z2257mgFrCfA4PIhEMFceRwYLxl3OOAcqvQGYjE/DX+Mort7R37VWq9
         mS62YNztUvYrY0mKYsOTgzoifaU9JDjicIBmqDdtX3YPLH9yqQBzWJWaaAuid1zrwcpE
         ga+fi0LZbBpTefnd9MfoU+3kDGTpWwl3YCwXwo3/ajMR/NwbmfuzYvcNBZ4zIohN+mNE
         6HEg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=USwt9tgHYjhreavjjbHkWvENI7jE3Rmgdo4D9GnzIbU=;
        fh=8DYu7hEZnfOKz8raIQkeMuIl5TIwtVW8vrBSs0XLekQ=;
        b=IAPliuMSCXAytBX6XGLrib5Z4nmpKX0G5o2xVIJu5jz60pE7/ZI8b+Rkoj1CVrdzvP
         fUnidYM4Tzpvzp5earypd+R6MtxFodFJUlLw+nVIpQ6WRtbaCvMOR6XoSci5Hfe+PpS+
         QelElq4Bi8OoOlbLm5MEHKbDbwedFRcaEqR42tFg7GNxd4PrvWn6fmB+keD2pgvN9w9K
         5EpqKG/HJ+xHMdZsg5M4Cvkq3Y70D4aM9k7h5lCtG9WPNBIPvo/EJXsM1jBWNLyo1ayR
         zHAbrCFCmXki6wAPt1/gpfLTOzs/ot1/fB5r8xhW/Rrf8H0yEpg+TV8FslpEQ03uGWaJ
         sqJA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="qoAHNn/+";
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-77939-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-77939-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-77939-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id iy6-20020a0562140f6600b0068f44cb67c5si15330778qvb.145.2024.02.23.00.39.24
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Feb 2024 00:39:24 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-77939-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b="qoAHNn/+";
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-77939-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-77939-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 1ACFA1C20B94
	for <linux.lists.archive@gmail.com>; Fri, 23 Feb 2024 08:39:24 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 16A1719472;
	Fri, 23 Feb 2024 08:39:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="qoAHNn/+"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E82E17BC1;
	Fri, 23 Feb 2024 08:39:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1708677548; cv=none; b=ZvN/Rq/nuIO/33XH17ZIufa35uapAmHS8GE/XbzvP6Ndfd66epApsEa1heoHYO3sIAXDuhnF7KfSygvlYk7LARvWg2mKDUbWaCPp1faa+XX4ZG4+MOITY42Icw/9bYP0DPa230I0Jsub1vqz73I/i+9LvahCAGgySRib8ZK+hiY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1708677548; c=relaxed/simple;
	bh=/UDfrDS9KwonodlrRcDZK+463Wesj7cXnS8k0zwgjbw=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=l1i6XkI/uUgwOj0Q7YkYCcFQuAAJKkbDZLqilpCi/GItrDJzJ0I+AmlZMYwlDODKu8ArNLJEoIfM9gbUkoIz/42CTJo34rYH9xxXsQ59PrxXXXpToTne4TE2PxWaA3zdEnOUW0UWMF36qF5SX6Z3y4/+7tgUBxD88upF2ZKdH6g=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=qoAHNn/+; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 385A7C433C7;
	Fri, 23 Feb 2024 08:39:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1708677547;
	bh=/UDfrDS9KwonodlrRcDZK+463Wesj7cXnS8k0zwgjbw=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=qoAHNn/+PBXxa6O8LLgQzQyGQOtdDop3hBZysdXKh2tXhh+Ri5zvjoNa1G8bNpJFU
	 3j1wNb1TAAwqVWq19uJZ8qkq9XjDDeqko0Uz65KP1yiSZVcuV0o5+J7z6wgWpdhrbc
	 OSQfFbpAzTB5NuXvp6pI4e043pnHBj3PiMuxHgaWr2HfMGc57u1Jl4pz9ygUvq1ieE
	 fpyg6PFMJKMGqKnUgyYhH8qfCogF39tbpoTNzlxmxDsV4di+HboHhslxkSw7h0as+g
	 F9dO36WvChMmfBHwz5du+PWnvWudQ8slQkYpxYG3NvcrjAh/+8nqy0mvN8i11qyv3P
	 D7rE73sy0aQrg==
Date: Fri, 23 Feb 2024 09:38:59 +0100
From: Christian Brauner <brauner@kernel.org>
To: "Seth Forshee (DigitalOcean)" <sforshee@kernel.org>
Cc: Serge Hallyn <serge@hallyn.com>, Paul Moore <paul@paul-moore.com>, 
	Eric Paris <eparis@redhat.com>, James Morris <jmorris@namei.org>, 
	Alexander Viro <viro@zeniv.linux.org.uk>, Jan Kara <jack@suse.cz>, 
	Stephen Smalley <stephen.smalley.work@gmail.com>, Ondrej Mosnacek <omosnace@redhat.com>, 
	Casey Schaufler <casey@schaufler-ca.com>, Mimi Zohar <zohar@linux.ibm.com>, 
	Roberto Sassu <roberto.sassu@huawei.com>, Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, 
	Eric Snowberg <eric.snowberg@oracle.com>, "Matthew Wilcox (Oracle)" <willy@infradead.org>, 
	Jonathan Corbet <corbet@lwn.net>, Miklos Szeredi <miklos@szeredi.hu>, 
	Amir Goldstein <amir73il@gmail.com>, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, 
	linux-security-module@vger.kernel.org, audit@vger.kernel.org, selinux@vger.kernel.org, 
	linux-integrity@vger.kernel.org, linux-doc@vger.kernel.org, linux-unionfs@vger.kernel.org
Subject: Re: [PATCH v2 18/25] fs: add vfs_set_fscaps()
Message-ID: <20240223-kehlkopf-zitat-494f00034071@brauner>
References: <20240221-idmap-fscap-refactor-v2-0-3039364623bd@kernel.org>
 <20240221-idmap-fscap-refactor-v2-18-3039364623bd@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20240221-idmap-fscap-refactor-v2-18-3039364623bd@kernel.org>

On Wed, Feb 21, 2024 at 03:24:49PM -0600, Seth Forshee (DigitalOcean) wrote:
> Provide a type-safe interface for setting filesystem capabilities and a
> generic implementation suitable for most filesystems.
> 
> Signed-off-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org>
> ---
>  fs/xattr.c         | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  include/linux/fs.h |  2 ++
>  2 files changed, 81 insertions(+)
> 
> diff --git a/fs/xattr.c b/fs/xattr.c
> index 10d1b1f78fc2..96de43928a51 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -245,6 +245,85 @@ int vfs_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry,
>  }
>  EXPORT_SYMBOL(vfs_get_fscaps);
>  
> +static int generic_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry,
> +			      const struct vfs_caps *caps, int setxattr_flags)
> +{
> +	struct inode *inode = d_inode(dentry);
> +	struct vfs_ns_cap_data nscaps;
> +	int size;

ssize_t, I believe.

> +
> +	size = vfs_caps_to_xattr(idmap, i_user_ns(inode), caps,
> +				 &nscaps, sizeof(nscaps));
> +	if (size < 0)
> +		return size;
> +
> +	return __vfs_setxattr_noperm(idmap, dentry, XATTR_NAME_CAPS,
> +				     &nscaps, size, setxattr_flags);
> +}
> +
> +/**
> + * vfs_set_fscaps - set filesystem capabilities
> + * @idmap: idmap of the mount the inode was found from
> + * @dentry: the dentry on which to set filesystem capabilities
> + * @caps: the filesystem capabilities to be written
> + * @setxattr_flags: setxattr flags to use when writing the capabilities xattr
> + *
> + * This function writes the supplied filesystem capabilities to the dentry.
> + *
> + * Return: 0 on success, a negative errno on error.
> + */
> +int vfs_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry,
> +		   const struct vfs_caps *caps, int setxattr_flags)
> +{
> +	struct inode *inode = d_inode(dentry);
> +	struct inode *delegated_inode = NULL;
> +	int error;
> +
> +retry_deleg:
> +	inode_lock(inode);
> +
> +	error = xattr_permission(idmap, inode, XATTR_NAME_CAPS, MAY_WRITE);
> +	if (error)
> +		goto out_inode_unlock;

I think this should be

        /*
         * We only care about restrictions the inode struct itself places upon
         * us otherwise fscaps aren't subject to any VFS restrictions.
         */
        error = may_write_xattr(idmap, inode);
        if (error)
                goto out_inode_unlock;

which is a 1:1 copy of what POSIX ACLs do?

> +	error = security_inode_set_fscaps(idmap, dentry, caps, setxattr_flags);
> +	if (error)
> +		goto out_inode_unlock;
> +
> +	error = try_break_deleg(inode, &delegated_inode);
> +	if (error)
> +		goto out_inode_unlock;
> +
> +	if (inode->i_opflags & IOP_XATTR) {

Fwiw, I think that if we move fscaps off of xattr handlers completely
this can go away and we can simply rely on ->{g,s}et_fscaps() being
implemented. But again, that can be in a follow-up series.

> +		if (inode->i_op->set_fscaps)
> +			error = inode->i_op->set_fscaps(idmap, dentry, caps,
> +							setxattr_flags);
> +		else
> +			error = generic_set_fscaps(idmap, dentry, caps,
> +						   setxattr_flags);
> +		if (!error) {
> +			fsnotify_xattr(dentry);
> +			security_inode_post_set_fscaps(idmap, dentry, caps,
> +						       setxattr_flags);
> +		}
> +	} else if (unlikely(is_bad_inode(inode))) {
> +		error = -EIO;
> +	} else {
> +		error = -EOPNOTSUPP;
> +	}
> +
> +out_inode_unlock:
> +	inode_unlock(inode);
> +
> +	if (delegated_inode) {
> +		error = break_deleg_wait(&delegated_inode);
> +		if (!error)
> +			goto retry_deleg;
> +	}
> +
> +	return error;
> +}
> +EXPORT_SYMBOL(vfs_set_fscaps);
> +
>  int
>  __vfs_setxattr(struct mnt_idmap *idmap, struct dentry *dentry,
>  	       struct inode *inode, const char *name, const void *value,
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index d7cd2467e1ea..4f5d7ed44644 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2120,6 +2120,8 @@ extern int vfs_get_fscaps_nosec(struct mnt_idmap *idmap, struct dentry *dentry,
>  				struct vfs_caps *caps);
>  extern int vfs_get_fscaps(struct mnt_idmap *idmap, struct dentry *dentry,
>  			  struct vfs_caps *caps);
> +extern int vfs_set_fscaps(struct mnt_idmap *idmap, struct dentry *dentry,
> +			  const struct vfs_caps *caps, int setxattr_flags);

Please drop the extern.