Re: Inconsistencies with trusted.SGI_ACL_{FILE,DEFAULT}

[Andreas Gruenbacher <agruenba@xxxxxxxxxx>]

On Tue, Oct 27, 2015 at 6:30 AM, Dave Chinner <david@xxxxxxxxxxxxx> wrote:
> On Tue, Oct 27, 2015 at 12:52:10AM +0100, Andreas Gruenbacher wrote:
>> On Mon, Oct 26, 2015 at 10:32 PM, Dave Chinner <david@xxxxxxxxxxxxx> wrote:
>> > Really, I'm struggling to understand what the problem is with XFS
>> > doing translation to it's own special xattr names for ACLs
>> > underneath the posix layer.
>>
>> Right now, setting one of the SGI_ACL attributes leads to stale i_acl
>> / i_default_acl fields and in the case of SGI_ACL_FILE, possibly to
>> outdated permissions in i_mode. You would get different information
>> from getfacl than what's stored on disk.
>
> That's because we're not marking the cached acl as stale when
> setting the acl directly...
>
>> > Yes, there's a caching issue when someone directly manipulates
>> > the underlying xattr,
>>
>> "Directly manipulating" could be doing a setxattr of an attribute that
>> was previously retrieved by getxattr, like restoring a backup.
>
> Sure, that's what xfsdump/restore effectively does.
>
>> > but you need root to shoot yourself in the foot that way, and that is 
>> > easily
>> > solveable.
>>
>> What do you mean, it's easily solvable?
>
> forget_all_cached_acls()

Brian has already suggested that in this thread. Still leaves the
i_mode permission bits stale and is broken wrt. uid/gid namespaces.

Andreas