[lxc-devel] [lxd/master] idmap:acl: don't add but update the acls

Thu, 13 Feb 2020 11:09:29 -0800 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6878

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
With this change I get:

Before:
```
 root@wittgenstein|/var/lib/lxd/storage-pools/zfs/containers/f1/rootfs
 > getfacl var/log/journal/
 # file: var/log/journal/
 # owner: 100000
 # group: 100101
 # flags: -s-
 user::rwx
 group::r-x
 group:100004:r-x
 mask::r-x
 other::r-x
 default:user::rwx
 default:group::r-x
 default:group:100004:r-x
 default:mask::r-x
 default:other::r-x
```

After Remapping:
```
 root@wittgenstein|/var/lib/lxd/storage-pools/zfs/containers/f1/rootfs
 > getfacl var/log/journal/
 # file: var/log/journal/
 # owner: 165536
 # group: 165637
 # flags: -s-
 user::rwx
 group::r-x
 group:165540:r-x
 mask::r-x
 other::r-x
 default:user::rwx
 default:group::r-x
 default:group:165540:r-x
 default:mask::r-x
 default:other::r-x
```

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>

From 1176499c1d278b9859aa28c72305dbd7fc956994 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Thu, 13 Feb 2020 20:07:14 +0100
Subject: [PATCH] idmap:acl: don't add but update the acls

With this change I get:

Before:
 root@wittgenstein|/var/lib/lxd/storage-pools/zfs/containers/f1/rootfs
 > getfacl var/log/journal/
 # file: var/log/journal/
 # owner: 100000
 # group: 100101
 # flags: -s-
 user::rwx
 group::r-x
 group:100004:r-x
 mask::r-x
 other::r-x
 default:user::rwx
 default:group::r-x
 default:group:100004:r-x
 default:mask::r-x
 default:other::r-x

After Remapping:
 root@wittgenstein|/var/lib/lxd/storage-pools/zfs/containers/f1/rootfs
 > getfacl var/log/journal/
 # file: var/log/journal/
 # owner: 165536
 # group: 165637
 # flags: -s-
 user::rwx
 group::r-x
 group:165540:r-x
 mask::r-x
 other::r-x
 default:user::rwx
 default:group::r-x
 default:group:165540:r-x
 default:mask::r-x
 default:other::r-x

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
 shared/idmap/shift_linux.go | 23 ++++-------------------
 1 file changed, 4 insertions(+), 19 deletions(-)

diff --git a/shared/idmap/shift_linux.go b/shared/idmap/shift_linux.go
index c4b3b50b30..5069a509e8 100644
--- a/shared/idmap/shift_linux.go
+++ b/shared/idmap/shift_linux.go
@@ -227,14 +227,10 @@ func shiftAclType(path string, aclType int, shiftIds 
func(uid int64, gid int64)
        }
        defer C.acl_free(unsafe.Pointer(acl))
 
-       newAcl := C.acl_init(0)
-       defer C.acl_free(unsafe.Pointer(newAcl))
-
        // Iterate through all ACL entries
        update := false
        for entryId := C.ACL_FIRST_ENTRY; ; entryId = C.ACL_NEXT_ENTRY {
                var ent C.acl_entry_t
-               var newEnt C.acl_entry_t
                var tag C.acl_tag_t
 
                // Get the ACL entry
@@ -245,19 +241,8 @@ func shiftAclType(path string, aclType int, shiftIds 
func(uid int64, gid int64)
                        return fmt.Errorf("Failed to get the ACL entry for %s", 
path)
                }
 
-               // Setup the new entry
-               ret = C.acl_create_entry(&newAcl, &newEnt)
-               if ret == -1 {
-                       return fmt.Errorf("Failed to allocate a new ACL entry 
for %s", path)
-               }
-
-               ret = C.acl_copy_entry(newEnt, ent)
-               if ret == -1 {
-                       return fmt.Errorf("Failed to copy the ACL entry for 
%s", path)
-               }
-
                // Get the ACL type
-               ret = C.acl_get_tag_type(newEnt, &tag)
+               ret = C.acl_get_tag_type(ent, &tag)
                if ret == -1 {
                        return fmt.Errorf("Failed to get the ACL type for %s", 
path)
                }
@@ -268,7 +253,7 @@ func shiftAclType(path string, aclType int, shiftIds 
func(uid int64, gid int64)
                }
 
                // Get the value
-               idp := (*C.id_t)(C.acl_get_qualifier(newEnt))
+               idp := (*C.id_t)(C.acl_get_qualifier(ent))
                if idp == nil {
                        return fmt.Errorf("Failed to get current ACL value for 
%s", path)
                }
@@ -277,7 +262,7 @@ func shiftAclType(path string, aclType int, shiftIds 
func(uid int64, gid int64)
                newId, _ := shiftIds((int64)(*idp), -1)
 
                // Update the new entry with the shifted value
-               ret = C.acl_set_qualifier(newEnt, unsafe.Pointer(&newId))
+               ret = C.acl_set_qualifier(ent, unsafe.Pointer(&newId))
                if ret == -1 {
                        return fmt.Errorf("Failed to set ACL qualifier on %s", 
path)
                }
@@ -287,7 +272,7 @@ func shiftAclType(path string, aclType int, shiftIds 
func(uid int64, gid int64)
 
        // Update the on-disk ACLs to match
        if update {
-               ret := C.acl_set_file(cpath, C.uint(aclType), newAcl)
+               ret := C.acl_set_file(cpath, C.uint(aclType), acl)
                if ret == -1 {
                        return fmt.Errorf("Failed to change ACLs on %s", path)
                }

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to