tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

fs: port ->get_acl() to pass mnt_idmap

Convert to struct mnt_idmap.

Last cycle we merged the necessary infrastructure in
256c8aed2b42 ("fs: introduce dedicated idmap type for mounts").
This is just the conversion to struct mnt_idmap.

Currently we still pass around the plain namespace that was attached to a
mount. This is in general pretty convenient but it makes it easy to
conflate namespaces that are relevant on the filesystem with namespaces
that are relevent on the mount level. Especially for non-vfs developers
without detailed knowledge in this area this can be a potential source for
bugs.

Once the conversion to struct mnt_idmap is done all helpers down to the
really low-level helpers will take a struct mnt_idmap argument instead of
two namespace arguments. This way it becomes impossible to conflate the two
eliminating the possibility of any bugs. All of the vfs and all filesystems
only operate on struct mnt_idmap.

Acked-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>

Christian Brauner 77435322 011e2b71

+29 -26
+1 -1
Documentation/filesystems/locking.rst
··· 84 84 int (*fileattr_set)(struct user_namespace *mnt_userns, 85 85 struct dentry *dentry, struct fileattr *fa); 86 86 int (*fileattr_get)(struct dentry *dentry, struct fileattr *fa); 87 - struct posix_acl * (*get_acl)(struct user_namespace *, struct dentry *, int); 87 + struct posix_acl * (*get_acl)(struct mnt_idmap *, struct dentry *, int); 88 88 89 89 locking rules: 90 90 all may block
+1 -1
Documentation/filesystems/vfs.rst
··· 443 443 int (*atomic_open)(struct inode *, struct dentry *, struct file *, 444 444 unsigned open_flag, umode_t create_mode); 445 445 int (*tmpfile) (struct mnt_idmap *, struct inode *, struct file *, umode_t); 446 - struct posix_acl * (*get_acl)(struct user_namespace *, struct dentry *, int); 446 + struct posix_acl * (*get_acl)(struct mnt_idmap *, struct dentry *, int); 447 447 int (*set_acl)(struct user_namespace *, struct dentry *, struct posix_acl *, int); 448 448 int (*fileattr_set)(struct user_namespace *mnt_userns, 449 449 struct dentry *dentry, struct fileattr *fa);
+1 -1
fs/9p/acl.c
··· 139 139 140 140 } 141 141 142 - struct posix_acl *v9fs_iop_get_acl(struct user_namespace *mnt_userns, 142 + struct posix_acl *v9fs_iop_get_acl(struct mnt_idmap *idmap, 143 143 struct dentry *dentry, int type) 144 144 { 145 145 struct v9fs_session_info *v9ses;
+1 -1
fs/9p/acl.h
··· 10 10 int v9fs_get_acl(struct inode *inode, struct p9_fid *fid); 11 11 struct posix_acl *v9fs_iop_get_inode_acl(struct inode *inode, int type, 12 12 bool rcu); 13 - struct posix_acl *v9fs_iop_get_acl(struct user_namespace *mnt_userns, 13 + struct posix_acl *v9fs_iop_get_acl(struct mnt_idmap *idmap, 14 14 struct dentry *dentry, int type); 15 15 int v9fs_iop_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, 16 16 struct posix_acl *acl, int type);
+1 -1
fs/cifs/cifsacl.c
··· 1674 1674 return rc; 1675 1675 } 1676 1676 1677 - struct posix_acl *cifs_get_acl(struct user_namespace *mnt_userns, 1677 + struct posix_acl *cifs_get_acl(struct mnt_idmap *idmap, 1678 1678 struct dentry *dentry, int type) 1679 1679 { 1680 1680 #if defined(CONFIG_CIFS_ALLOW_INSECURE_LEGACY) && defined(CONFIG_CIFS_POSIX)
+1 -1
fs/cifs/cifsproto.h
··· 225 225 const char *, u32 *, u32); 226 226 extern struct cifs_ntsd *get_cifs_acl_by_fid(struct cifs_sb_info *, 227 227 const struct cifs_fid *, u32 *, u32); 228 - extern struct posix_acl *cifs_get_acl(struct user_namespace *mnt_userns, 228 + extern struct posix_acl *cifs_get_acl(struct mnt_idmap *idmap, 229 229 struct dentry *dentry, int type); 230 230 extern int cifs_set_acl(struct user_namespace *mnt_userns, 231 231 struct dentry *dentry, struct posix_acl *acl, int type);
+2 -2
fs/ecryptfs/inode.c
··· 1122 1122 return rc; 1123 1123 } 1124 1124 1125 - static struct posix_acl *ecryptfs_get_acl(struct user_namespace *mnt_userns, 1125 + static struct posix_acl *ecryptfs_get_acl(struct mnt_idmap *idmap, 1126 1126 struct dentry *dentry, int type) 1127 1127 { 1128 - return vfs_get_acl(mnt_userns, ecryptfs_dentry_to_lower(dentry), 1128 + return vfs_get_acl(idmap, ecryptfs_dentry_to_lower(dentry), 1129 1129 posix_acl_xattr_name(type)); 1130 1130 } 1131 1131
+6 -4
fs/overlayfs/inode.c
··· 515 515 { 516 516 struct posix_acl *real_acl, *clone; 517 517 struct user_namespace *mnt_userns; 518 + struct mnt_idmap *idmap; 518 519 struct inode *realinode = d_inode(path->dentry); 519 520 520 - mnt_userns = mnt_user_ns(path->mnt); 521 + idmap = mnt_idmap(path->mnt); 522 + mnt_userns = mnt_idmap_owner(idmap); 521 523 522 524 if (noperm) 523 525 real_acl = get_inode_acl(realinode, posix_acl_type(acl_name)); 524 526 else 525 - real_acl = vfs_get_acl(mnt_userns, path->dentry, acl_name); 527 + real_acl = vfs_get_acl(idmap, path->dentry, acl_name); 526 528 if (IS_ERR_OR_NULL(real_acl)) 527 529 return real_acl; 528 530 ··· 557 555 * 558 556 * This is obviously only relevant when idmapped layers are used. 559 557 */ 560 - struct posix_acl *do_ovl_get_acl(struct user_namespace *mnt_userns, 558 + struct posix_acl *do_ovl_get_acl(struct mnt_idmap *idmap, 561 559 struct inode *inode, int type, 562 560 bool rcu, bool noperm) 563 561 { ··· 620 618 621 619 ovl_path_lower(dentry, &realpath); 622 620 old_cred = ovl_override_creds(dentry->d_sb); 623 - real_acl = vfs_get_acl(mnt_user_ns(realpath.mnt), realdentry, 621 + real_acl = vfs_get_acl(mnt_idmap(realpath.mnt), realdentry, 624 622 acl_name); 625 623 revert_creds(old_cred); 626 624 if (IS_ERR(real_acl)) {
+4 -4
fs/overlayfs/overlayfs.h
··· 610 610 ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size); 611 611 612 612 #ifdef CONFIG_FS_POSIX_ACL 613 - struct posix_acl *do_ovl_get_acl(struct user_namespace *mnt_userns, 613 + struct posix_acl *do_ovl_get_acl(struct mnt_idmap *idmap, 614 614 struct inode *inode, int type, 615 615 bool rcu, bool noperm); 616 616 static inline struct posix_acl *ovl_get_inode_acl(struct inode *inode, int type, 617 617 bool rcu) 618 618 { 619 - return do_ovl_get_acl(&init_user_ns, inode, type, rcu, true); 619 + return do_ovl_get_acl(&nop_mnt_idmap, inode, type, rcu, true); 620 620 } 621 - static inline struct posix_acl *ovl_get_acl(struct user_namespace *mnt_userns, 621 + static inline struct posix_acl *ovl_get_acl(struct mnt_idmap *idmap, 622 622 struct dentry *dentry, int type) 623 623 { 624 - return do_ovl_get_acl(mnt_userns, d_inode(dentry), type, false, false); 624 + return do_ovl_get_acl(idmap, d_inode(dentry), type, false, false); 625 625 } 626 626 int ovl_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, 627 627 struct posix_acl *acl, int type);
+8 -7
fs/posix_acl.c
··· 111 111 } 112 112 EXPORT_SYMBOL(forget_all_cached_acls); 113 113 114 - static struct posix_acl *__get_acl(struct user_namespace *mnt_userns, 114 + static struct posix_acl *__get_acl(struct mnt_idmap *idmap, 115 115 struct dentry *dentry, struct inode *inode, 116 116 int type) 117 117 { ··· 154 154 * we'll just create the negative cache entry. 155 155 */ 156 156 if (dentry && inode->i_op->get_acl) { 157 - acl = inode->i_op->get_acl(mnt_userns, dentry, type); 157 + acl = inode->i_op->get_acl(idmap, dentry, type); 158 158 } else if (inode->i_op->get_inode_acl) { 159 159 acl = inode->i_op->get_inode_acl(inode, type, false); 160 160 } else { ··· 181 181 182 182 struct posix_acl *get_inode_acl(struct inode *inode, int type) 183 183 { 184 - return __get_acl(&init_user_ns, NULL, inode, type); 184 + return __get_acl(&nop_mnt_idmap, NULL, inode, type); 185 185 } 186 186 EXPORT_SYMBOL(get_inode_acl); 187 187 ··· 1121 1121 1122 1122 /** 1123 1123 * vfs_get_acl - get posix acls 1124 - * @mnt_userns: user namespace of the mount 1124 + * @idmap: idmap of the mount 1125 1125 * @dentry: the dentry based on which to retrieve the posix acls 1126 1126 * @acl_name: the name of the posix acl 1127 1127 * ··· 1130 1130 * 1131 1131 * Return: On success POSIX ACLs in VFS format, on error negative errno. 1132 1132 */ 1133 - struct posix_acl *vfs_get_acl(struct user_namespace *mnt_userns, 1133 + struct posix_acl *vfs_get_acl(struct mnt_idmap *idmap, 1134 1134 struct dentry *dentry, const char *acl_name) 1135 1135 { 1136 + struct user_namespace *mnt_userns = mnt_idmap_owner(idmap); 1136 1137 struct inode *inode = d_inode(dentry); 1137 1138 struct posix_acl *acl; 1138 1139 int acl_type, error; ··· 1155 1154 if (S_ISLNK(inode->i_mode)) 1156 1155 return ERR_PTR(-EOPNOTSUPP); 1157 1156 1158 - acl = __get_acl(mnt_userns, dentry, inode, acl_type); 1157 + acl = __get_acl(idmap, dentry, inode, acl_type); 1159 1158 if (IS_ERR(acl)) 1160 1159 return acl; 1161 1160 if (!acl) ··· 1257 1256 ssize_t error; 1258 1257 struct posix_acl *acl; 1259 1258 1260 - acl = vfs_get_acl(mnt_idmap_owner(idmap), dentry, acl_name); 1259 + acl = vfs_get_acl(idmap, dentry, acl_name); 1261 1260 if (IS_ERR(acl)) 1262 1261 return PTR_ERR(acl); 1263 1262
+1 -1
include/linux/fs.h
··· 2164 2164 umode_t create_mode); 2165 2165 int (*tmpfile) (struct mnt_idmap *, struct inode *, 2166 2166 struct file *, umode_t); 2167 - struct posix_acl *(*get_acl)(struct user_namespace *, struct dentry *, 2167 + struct posix_acl *(*get_acl)(struct mnt_idmap *, struct dentry *, 2168 2168 int); 2169 2169 int (*set_acl)(struct user_namespace *, struct dentry *, 2170 2170 struct posix_acl *, int);
+2 -2
include/linux/posix_acl.h
··· 102 102 103 103 int vfs_set_acl(struct user_namespace *mnt_userns, struct dentry *dentry, 104 104 const char *acl_name, struct posix_acl *kacl); 105 - struct posix_acl *vfs_get_acl(struct user_namespace *mnt_userns, 105 + struct posix_acl *vfs_get_acl(struct mnt_idmap *idmap, 106 106 struct dentry *dentry, const char *acl_name); 107 107 int vfs_remove_acl(struct user_namespace *mnt_userns, struct dentry *dentry, 108 108 const char *acl_name); ··· 141 141 return -EOPNOTSUPP; 142 142 } 143 143 144 - static inline struct posix_acl *vfs_get_acl(struct user_namespace *mnt_userns, 144 + static inline struct posix_acl *vfs_get_acl(struct mnt_idmap *idmap, 145 145 struct dentry *dentry, 146 146 const char *acl_name) 147 147 {