Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp793566yba; Fri, 3 May 2019 10:31:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqzjbvHK883iSHUSZvaigl/goYLj81Vv3CdwsKrxvSO7htYKFYbLtC0nVgF3gx0EAjB8f3SN X-Received: by 2002:a63:d345:: with SMTP id u5mr11288987pgi.83.1556904715654; Fri, 03 May 2019 10:31:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556904715; cv=none; d=google.com; s=arc-20160816; b=rCm6UZYEwV5lYcz9DpbgvX5Ms9JNzhcD9SEt97RchMN+MlWCeYm+nXs35LSPFVbL2P X/IZISYhtL0Uedl+br1G68o2Va4TqOp0qSMHLHzhD/K3d9/tzBDv1odU1/ED/QTJZlbQ SbSpAVw+1c67HH8WruNCx7WvggqIKaLas/S2hJ3au02XG83GD649Ov+AG8PFIh570vFw I5uGjkmEn/YLP5NhRod7yfRKOftqbFBqTxCpWm64XvLguibh+H5aUBsE7GLA4YMLodR8 gVu1fYUOu+KeQ2GrrXQE5cU/dH6okHuFvlrNir7rT5Ac5bVwfJUzxxT655Fc9mfg8Ead oT7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=6LAdlCvpwSD7lerziHqNC04WArBkxVh2/zNOasGTsxE=; b=I1JBCNTgedbi4ZebtyfL+V0BlVpHmlzaRDWtMRho6CLdGcKdQ0fpg6qAMgF5wsthYu q+O0oD4wkOeBt2cgAOs/4L5mAglomHoTfc3wJb5KDtcNlf7KZBcMJ/8m2/zgDGt7cWXR fc2/4XAX+t0FW41XXJsMhoHbffFiqHWqLeyI9BLOA8FSVWps2qGcInoquGQzKhv9dfhO QVSsFc1E7yK3OEmFEQo9NlXAde+H/LH0kBCPdjFn0PB2QbjcDKV/FC+CemjOjVeEaUfc Kbwettv9Yai7VJ8tss4lNNMwxwSpaFJpPfdrOKQU08NtAEBZj+h1h/7CS/1kFiL+EJBl wrsQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id go21si3125451plb.386.2019.05.03.10.31.41; Fri, 03 May 2019 10:31:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726724AbfECRbe (ORCPT + 99 others); Fri, 3 May 2019 13:31:34 -0400 Received: from fieldses.org ([173.255.197.46]:54610 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726585AbfECRbe (ORCPT ); Fri, 3 May 2019 13:31:34 -0400 Received: by fieldses.org (Postfix, from userid 2815) id 4C0301C26; Fri, 3 May 2019 13:31:33 -0400 (EDT) Date: Fri, 3 May 2019 13:31:33 -0400 From: "J. Bruce Fields" To: Amir Goldstein Cc: NeilBrown , Andreas Gruenbacher , Miklos Szeredi , Andreas =?utf-8?Q?Gr=C3=BCnbacher?= , Patrick Plagwitz , "linux-unionfs@vger.kernel.org" , Linux NFS list , Linux FS-devel Mailing List , Linux Kernel Mailing List Subject: Re: [PATCH] overlayfs: ignore empty NFSv4 ACLs in ext4 upperdir Message-ID: <20190503173133.GB14954@fieldses.org> References: <266c571f-e4e2-7c61-5ee2-8ece0c2d06e9@web.de> <20161206185806.GC31197@fieldses.org> <87bm0l4nra.fsf@notabene.neil.brown.name> <20190503153531.GJ12608@fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Fri, May 03, 2019 at 01:26:01PM -0400, Amir Goldstein wrote: > On Fri, May 3, 2019 at 12:03 PM J. Bruce Fields wrote: > > > > On Thu, May 02, 2019 at 12:02:33PM +1000, NeilBrown wrote: > > > On Tue, Dec 06 2016, J. Bruce Fields wrote: > > > > > > > On Tue, Dec 06, 2016 at 02:18:31PM +0100, Andreas Gruenbacher wrote: > > > >> On Tue, Dec 6, 2016 at 11:08 AM, Miklos Szeredi wrote: > > > >> > On Tue, Dec 6, 2016 at 12:24 AM, Andreas Grünbacher > > > >> > wrote: > > > >> >> 2016-12-06 0:19 GMT+01:00 Andreas Grünbacher : > > > >> > > > > >> >>> It's not hard to come up with a heuristic that determines if a > > > >> >>> system.nfs4_acl value is equivalent to a file mode, and to ignore the > > > >> >>> attribute in that case. (The file mode is transmitted in its own > > > >> >>> attribute already, so actually converting .) That way, overlayfs could > > > >> >>> still fail copying up files that have an actual ACL. It's still an > > > >> >>> ugly hack ... > > > >> >> > > > >> >> Actually, that kind of heuristic would make sense in the NFS client > > > >> >> which could then hide the "system.nfs4_acl" attribute. > > > >> > > > > >> > Even simpler would be if knfsd didn't send the attribute if not > > > >> > necessary. Looks like there's code actively creating the nfs4_acl on > > > >> > the wire even if the filesystem had none: > > > >> > > > > >> > pacl = get_acl(inode, ACL_TYPE_ACCESS); > > > >> > if (!pacl) > > > >> > pacl = posix_acl_from_mode(inode->i_mode, GFP_KERNEL); > > > >> > > > > >> > What's the point? > > > >> > > > >> That's how the protocol is specified. > > > > > > > > Yep, even if we could make that change to nfsd it wouldn't help the > > > > client with the large number of other servers that are out there > > > > (including older knfsd's). > > > > > > > > --b. > > > > > > > >> (I'm not saying that that's very helpful.) > > > >> > > > >> Andreas > > > > > > Hi everyone..... > > > I have a customer facing this problem, and so stumbled onto the email > > > thread. > > > Unfortunately it didn't resolve anything. Maybe I can help kick things > > > along??? > > > > > > The core problem here is that NFSv4 and ext4 use different and largely > > > incompatible ACL implementations. There is no way to accurately > > > translate from one to the other in general (common specific examples > > > can be converted). > > > > > > This means that either: > > > 1/ overlayfs cannot use ext4 for upper and NFS for lower (or vice > > > versa) or > > > 2/ overlayfs need to accept that sometimes it cannot copy ACLs, and > > > that is OK. > > > > > > Silently not copying the ACLs is probably not a good idea as it might > > > result in inappropriate permissions being given away. So if the > > > sysadmin wants this (and some clearly do), they need a way to > > > explicitly say "I accept the risk". > > > > So, I feel like silently copying ACLs up *also* carries a risk, if that > > means switching from server-enforcement to client-enforcement of those > > permissions. > > > > Sorry, I know we had another thread recently about permissions in this > > situation, and I've forgotten the conclusion. > > > > Out of curiosity, what's done with selinux labels? > > > > overlayfs calls security_inode_copy_up_xattr(name) which > can fail (<0) allow (0) or skip(1). > > selinux_inode_copy_up_xattr() as well as smack_inode_copy_up_xattr() > skip their own xattr on copy up and fail any other xattr copy up. If it's OK to silently skip copying up security labels, maybe it's OK to silently skip NFSv4 ACLs too? --b.