[lxc-devel] [lxd/master] idmap:acl: don't add but update the acls
brauner on Github
lxc-bot at linuxcontainers.org
Thu Feb 13 19:08:46 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 1156 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200213/a354ebe4/attachment.bin>
-------------- next part --------------
From 1176499c1d278b9859aa28c72305dbd7fc956994 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 13 Feb 2020 20:07:14 +0100
Subject: [PATCH] idmap:acl: don't add but update the acls
With this change I get:
Before:
root at wittgenstein|/var/lib/lxd/storage-pools/zfs/containers/f1/rootfs
> getfacl var/log/journal/
# file: var/log/journal/
# owner: 100000
# group: 100101
# flags: -s-
user::rwx
group::r-x
group:100004:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:100004:r-x
default:mask::r-x
default:other::r-x
After Remapping:
root at wittgenstein|/var/lib/lxd/storage-pools/zfs/containers/f1/rootfs
> getfacl var/log/journal/
# file: var/log/journal/
# owner: 165536
# group: 165637
# flags: -s-
user::rwx
group::r-x
group:165540:r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:165540:r-x
default:mask::r-x
default:other::r-x
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
shared/idmap/shift_linux.go | 23 ++++-------------------
1 file changed, 4 insertions(+), 19 deletions(-)
diff --git a/shared/idmap/shift_linux.go b/shared/idmap/shift_linux.go
index c4b3b50b30..5069a509e8 100644
--- a/shared/idmap/shift_linux.go
+++ b/shared/idmap/shift_linux.go
@@ -227,14 +227,10 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
}
defer C.acl_free(unsafe.Pointer(acl))
- newAcl := C.acl_init(0)
- defer C.acl_free(unsafe.Pointer(newAcl))
-
// Iterate through all ACL entries
update := false
for entryId := C.ACL_FIRST_ENTRY; ; entryId = C.ACL_NEXT_ENTRY {
var ent C.acl_entry_t
- var newEnt C.acl_entry_t
var tag C.acl_tag_t
// Get the ACL entry
@@ -245,19 +241,8 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
return fmt.Errorf("Failed to get the ACL entry for %s", path)
}
- // Setup the new entry
- ret = C.acl_create_entry(&newAcl, &newEnt)
- if ret == -1 {
- return fmt.Errorf("Failed to allocate a new ACL entry for %s", path)
- }
-
- ret = C.acl_copy_entry(newEnt, ent)
- if ret == -1 {
- return fmt.Errorf("Failed to copy the ACL entry for %s", path)
- }
-
// Get the ACL type
- ret = C.acl_get_tag_type(newEnt, &tag)
+ ret = C.acl_get_tag_type(ent, &tag)
if ret == -1 {
return fmt.Errorf("Failed to get the ACL type for %s", path)
}
@@ -268,7 +253,7 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
}
// Get the value
- idp := (*C.id_t)(C.acl_get_qualifier(newEnt))
+ idp := (*C.id_t)(C.acl_get_qualifier(ent))
if idp == nil {
return fmt.Errorf("Failed to get current ACL value for %s", path)
}
@@ -277,7 +262,7 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
newId, _ := shiftIds((int64)(*idp), -1)
// Update the new entry with the shifted value
- ret = C.acl_set_qualifier(newEnt, unsafe.Pointer(&newId))
+ ret = C.acl_set_qualifier(ent, unsafe.Pointer(&newId))
if ret == -1 {
return fmt.Errorf("Failed to set ACL qualifier on %s", path)
}
@@ -287,7 +272,7 @@ func shiftAclType(path string, aclType int, shiftIds func(uid int64, gid int64)
// Update the on-disk ACLs to match
if update {
- ret := C.acl_set_file(cpath, C.uint(aclType), newAcl)
+ ret := C.acl_set_file(cpath, C.uint(aclType), acl)
if ret == -1 {
return fmt.Errorf("Failed to change ACLs on %s", path)
}
More information about the lxc-devel
mailing list