[lxc-devel] [lxd/master] idmap:acl: don't add but update the acls

Thu Feb 13 19:08:46 UTC 2020

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 1156 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200213/a354ebe4/attachment.bin>
-------------- next part --------------
From 1176499c1d278b9859aa28c72305dbd7fc956994 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 13 Feb 2020 20:07:14 +0100
Subject: [PATCH] idmap:acl: don't add but update the acls

With this change I get:

Before:
 root at wittgenstein|/var/lib/lxd/storage-pools/zfs/containers/f1/rootfs
 > getfacl var/log/journal/
 # file: var/log/journal/
 # owner: 100000
 # group: 100101
 # flags: -s-
 user::rwx
 group::r-x
 group:100004:r-x
 mask::r-x
 other::r-x
 default:user::rwx
 default:group::r-x
 default:group:100004:r-x
 default:mask::r-x
 default:other::r-x

After Remapping:
 root at wittgenstein|/var/lib/lxd/storage-pools/zfs/containers/f1/rootfs
 > getfacl var/log/journal/
 # file: var/log/journal/
 # owner: 165536
 # group: 165637
 # flags: -s-
 user::rwx
 group::r-x
 group:165540:r-x
 mask::r-x
 other::r-x
 default:user::rwx
 default:group::r-x
 default:group:165540:r-x
 default:mask::r-x
 default:other::r-x

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 shared/idmap/shift_linux.go | 23 ++++-------------------
 1 file changed, 4 insertions(+), 19 deletions(-)

diff --git a/shared/idmap/shift_linux.go b/shared/idmap/shift_linux.go
index c4b3b50b30..5069a509e8 100644
--- a/shared/idmap/shift_linux.go
+++ b/shared/idmap/shift_linux.go
@@ -227,14 +227,10 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
 	}
 	defer C.acl_free(unsafe.Pointer(acl))
 
-	newAcl := C.acl_init(0)
-	defer C.acl_free(unsafe.Pointer(newAcl))
-
 	// Iterate through all ACL entries
 	update := false
 	for entryId := C.ACL_FIRST_ENTRY; ; entryId = C.ACL_NEXT_ENTRY {
 		var ent C.acl_entry_t
-		var newEnt C.acl_entry_t
 		var tag C.acl_tag_t
 
 		// Get the ACL entry
@@ -245,19 +241,8 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
 			return fmt.Errorf("Failed to get the ACL entry for %s", path)
 		}
 
-		// Setup the new entry
-		ret = C.acl_create_entry(&newAcl, &newEnt)
-		if ret == -1 {
-			return fmt.Errorf("Failed to allocate a new ACL entry for %s", path)
-		}
-
-		ret = C.acl_copy_entry(newEnt, ent)
-		if ret == -1 {
-			return fmt.Errorf("Failed to copy the ACL entry for %s", path)
-		}
-
 		// Get the ACL type
-		ret = C.acl_get_tag_type(newEnt, &tag)
+		ret = C.acl_get_tag_type(ent, &tag)
 		if ret == -1 {
 			return fmt.Errorf("Failed to get the ACL type for %s", path)
 		}
@@ -268,7 +253,7 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
 		}
 
 		// Get the value
-		idp := (*C.id_t)(C.acl_get_qualifier(newEnt))
+		idp := (*C.id_t)(C.acl_get_qualifier(ent))
 		if idp == nil {
 			return fmt.Errorf("Failed to get current ACL value for %s", path)
 		}
@@ -277,7 +262,7 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
 		newId, _ := shiftIds((int64)(*idp), -1)
 
 		// Update the new entry with the shifted value
-		ret = C.acl_set_qualifier(newEnt, unsafe.Pointer(&newId))
+		ret = C.acl_set_qualifier(ent, unsafe.Pointer(&newId))
 		if ret == -1 {
 			return fmt.Errorf("Failed to set ACL qualifier on %s", path)
 		}
@@ -287,7 +272,7 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
 
 	// Update the on-disk ACLs to match
 	if update {
-		ret := C.acl_set_file(cpath, C.uint(aclType), newAcl)
+		ret := C.acl_set_file(cpath, C.uint(aclType), acl)
 		if ret == -1 {
 			return fmt.Errorf("Failed to change ACLs on %s", path)
 		}
