ACL test failures on overlayfs over tmpfs

ACL test failures on overlayfs over tmpfs

[Amir Goldstein]

[-- Attachment #1: Type: text/plain, Size: 1651 bytes --]

Hi guys,

I recently learned about a set of ACL tests that were added
by Tuxera to pjdtests. I pushed a branch to my github with
some fixes to build and run on recent Linux:

https://github.com/amir73il/pjdfstest.git #tuxera-acl-tests

While the set of ACL tests pass on overlayfs over xfs/ext4
some fail on overlayfs over tmpfs.
Below is a snippet from one of the failed tests.
The test setup grants read-only access to a 'foreign' user
and write-only access to a 'foreign' group (i.e. not the owner).

The return value from the 4 open statements at the bottom
of the test are correct when run on tmpfs/xfs/ext4 and they
are correct when run on overlayfs over xfs/ext4.

However, when running the same test on overlayfs over tmpfs
(both lower and upper) all 4 open statements fail with EACCESS
as if the ACL permission grant for the foreign user/group are skipped.

I tried following the permission checks code and got lost.

Can you shed some light on this for me?

Thanks,
Amir.

# create a basic directory, clean its inherited ACLs, and check initial ACL
# 1
expect 0 mkdir ${d0} 0777
expect 0 setfacl ${d0} b
expect 0 create ${d0}/${n1} 0644
expect 0 chown ${d0}/${n1} 65533 65533
expect 'u::rw-,g::r--,o::r--' getfacl ${d0}/${n1} access
expect EACCES getfacl ${d0}/${n1} default
#
# Grant read or write access to another user or group, check access
# 6
expect 0 setfacl ${d0}/${n1} m 'u::-,g::-,o::-,m::rw,u:65531:r,g:65532:w'
expect 0 -u 65531 -g 65531 open ${d0}/${n1} O_RDONLY
expect EACCES -u 65531 -g 65531 open ${d0}/${n1} O_RDWR
expect 0 -u 65532 -g 65532 open ${d0}/${n1} O_WRONLY
expect EACCES -u 65532 -g 65532 open ${d0}/${n1} O_RDWR

[-- Attachment #2: Type: text/html, Size: 2293 bytes --]

Fwd: ACL test failures on overlayfs over tmpfs

[Amir Goldstein]

Hi guys,

I recently learned about a set of ACL tests that were added
by Tuxera to pjdtests. I pushed a branch to my github with
some fixes to build and run on recent Linux:

https://github.com/amir73il/pjdfstest.git #tuxera-acl-tests

While the set of ACL tests pass on overlayfs over xfs/ext4
some fail on overlayfs over tmpfs.
Below is a snippet from one of the failed tests.
The test setup grants read-only access to a 'foreign' user
and write-only access to a 'foreign' group (i.e. not the owner).

The return value from the 4 open statements at the bottom
of the test are correct when run on tmpfs/xfs/ext4 and they
are correct when run on overlayfs over xfs/ext4.

However, when running the same test on overlayfs over tmpfs
(both lower and upper) all 4 open statements fail with EACCESS
as if the ACL permission grant for the foreign user/group are skipped.

I tried following the permission checks code and got lost.

Can you shed some light on this for me?

Thanks,
Amir.

# create a basic directory, clean its inherited ACLs, and check initial ACL
# 1
expect 0 mkdir ${d0} 0777
expect 0 setfacl ${d0} b
expect 0 create ${d0}/${n1} 0644
expect 0 chown ${d0}/${n1} 65533 65533
expect 'u::rw-,g::r--,o::r--' getfacl ${d0}/${n1} access
expect EACCES getfacl ${d0}/${n1} default
#
# Grant read or write access to another user or group, check access
# 6
expect 0 setfacl ${d0}/${n1} m 'u::-,g::-,o::-,m::rw,u:65531:r,g:65532:w'
expect 0 -u 65531 -g 65531 open ${d0}/${n1} O_RDONLY
expect EACCES -u 65531 -g 65531 open ${d0}/${n1} O_RDWR
expect 0 -u 65532 -g 65532 open ${d0}/${n1} O_WRONLY
expect EACCES -u 65532 -g 65532 open ${d0}/${n1} O_RDWR

Re: ACL test failures on overlayfs over tmpfs

[Miklos Szeredi]

On Sun, Oct 30, 2016 at 03:35:04PM +0200, Amir Goldstein wrote:
> Hi guys,
> 
> I recently learned about a set of ACL tests that were added
> by Tuxera to pjdtests. I pushed a branch to my github with
> some fixes to build and run on recent Linux:
> 
> https://github.com/amir73il/pjdfstest.git #tuxera-acl-tests
> 
> While the set of ACL tests pass on overlayfs over xfs/ext4
> some fail on overlayfs over tmpfs.
> Below is a snippet from one of the failed tests.
> The test setup grants read-only access to a 'foreign' user
> and write-only access to a 'foreign' group (i.e. not the owner).
> 
> The return value from the 4 open statements at the bottom
> of the test are correct when run on tmpfs/xfs/ext4 and they
> are correct when run on overlayfs over xfs/ext4.
> 
> However, when running the same test on overlayfs over tmpfs
> (both lower and upper) all 4 open statements fail with EACCESS
> as if the ACL permission grant for the foreign user/group are skipped.
> 
> I tried following the permission checks code and got lost.
> 
> Can you shed some light on this for me?

Following patch should fix it.

Pushed, with a bunch of other fixes, to #overlayfs-linus.

Thanks,
Miklos

---
From: Miklos Szeredi <mszeredi@redhat.com>
Subject: ovl: fix get_acl() on tmpfs

tmpfs doesn't have ->get_acl() because it only uses cached acls.

This fixes the acl tests in pjdfstest when tmpfs is used as the upper layer
of the overlay.

Reported-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
---
 fs/overlayfs/inode.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -270,9 +270,6 @@ struct posix_acl *ovl_get_acl(struct ino
 	if (!IS_ENABLED(CONFIG_FS_POSIX_ACL) || !IS_POSIXACL(realinode))
 		return NULL;
 
-	if (!realinode->i_op->get_acl)
-		return NULL;
-
 	old_cred = ovl_override_creds(inode->i_sb);
 	acl = get_acl(realinode, type);
 	revert_creds(old_cred);

Re: ACL test failures on overlayfs over tmpfs

[Amir Goldstein]

On Mon, Oct 31, 2016 at 3:51 PM, Miklos Szeredi <miklos@szeredi.hu> wrote:
> On Sun, Oct 30, 2016 at 03:35:04PM +0200, Amir Goldstein wrote:
>> Hi guys,
>>
>> I recently learned about a set of ACL tests that were added
>> by Tuxera to pjdtests. I pushed a branch to my github with
>> some fixes to build and run on recent Linux:
>>
>> https://github.com/amir73il/pjdfstest.git #tuxera-acl-tests
>>
>> While the set of ACL tests pass on overlayfs over xfs/ext4
>> some fail on overlayfs over tmpfs.
>> Below is a snippet from one of the failed tests.
>> The test setup grants read-only access to a 'foreign' user
>> and write-only access to a 'foreign' group (i.e. not the owner).
>>
>> The return value from the 4 open statements at the bottom
>> of the test are correct when run on tmpfs/xfs/ext4 and they
>> are correct when run on overlayfs over xfs/ext4.
>>
>> However, when running the same test on overlayfs over tmpfs
>> (both lower and upper) all 4 open statements fail with EACCESS
>> as if the ACL permission grant for the foreign user/group are skipped.
>>
>> I tried following the permission checks code and got lost.
>>
>> Can you shed some light on this for me?
>
> Following patch should fix it.
>

Confirmed

> Pushed, with a bunch of other fixes, to #overlayfs-linus.
>
> Thanks,
> Miklos
>
> ---
> From: Miklos Szeredi <mszeredi@redhat.com>
> Subject: ovl: fix get_acl() on tmpfs
>
> tmpfs doesn't have ->get_acl() because it only uses cached acls.
>
> This fixes the acl tests in pjdfstest when tmpfs is used as the upper layer
> of the overlay.
>
> Reported-by: Amir Goldstein <amir73il@gmail.com>
> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
> ---
>  fs/overlayfs/inode.c |    3 ---
>  1 file changed, 3 deletions(-)
>
> --- a/fs/overlayfs/inode.c
> +++ b/fs/overlayfs/inode.c
> @@ -270,9 +270,6 @@ struct posix_acl *ovl_get_acl(struct ino
>         if (!IS_ENABLED(CONFIG_FS_POSIX_ACL) || !IS_POSIXACL(realinode))
>                 return NULL;
>
> -       if (!realinode->i_op->get_acl)
> -               return NULL;
> -
>         old_cred = ovl_override_creds(inode->i_sb);
>         acl = get_acl(realinode, type);
>         revert_creds(old_cred);