From 30791df55f65d52c2cb558dd9f6e9b15b50f2d14 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 15 Sep 2021 12:21:51 +0200 Subject: [PATCH] main: add a mount flag to disable ACLs Signed-off-by: Giuseppe Scrivano --- fuse-overlayfs.1 | 62 ++++++++++++++++++++++++--------------------- fuse-overlayfs.1.md | 3 +++ fuse-overlayfs.h | 1 + main.c | 5 +++- 4 files changed, 41 insertions(+), 30 deletions(-) diff --git a/fuse-overlayfs.1 b/fuse-overlayfs.1 index 864ddda..63b24b5 100644 --- a/fuse-overlayfs.1 +++ b/fuse-overlayfs.1 @@ -1,55 +1,55 @@ .nh -.TH fuse\-overlayfs 1 "User Commands" +.TH fuse-overlayfs 1 "User Commands" .SH NAME .PP -fuse\-overlayfs \- overlayfs FUSE implementation +fuse-overlayfs - overlayfs FUSE implementation .SH SYNOPSIS .PP mounting - fuse\-overlayfs [\-f] [\-\-debug] [\-o OPTS] MOUNT\_TARGET + fuse-overlayfs [-f] [--debug] [-o OPTS] MOUNT_TARGET .PP unmounting - fusermount \-u mountpoint + fusermount -u mountpoint .SH DESCRIPTION .PP -fuse\-overlayfs provides an overlayfs FUSE implementation so that it +fuse-overlayfs provides an overlayfs FUSE implementation so that it can be used since Linux 4.18 by unprivileged users in an user namespace. .SH OPTIONS .PP -\fB\-\-debug\fP +\fB--debug\fP Enable debugging mode, can be very noisy. .PP -\fB\-o lowerdir=low1[:low2...]\fP +\fB-o lowerdir=low1[:low2...]\fP A list of directories separated by \fB\fC:\fR\&. Their content is merged. .PP -\fB\-o upperdir=upperdir\fP +\fB-o upperdir=upperdir\fP A directory merged on top of all the lowerdirs where all the changes done to the file system will be written. .PP -\fB\-o workdir=workdir\fP -A directory used internally by fuse\-overlays, must be on the same file +\fB-o workdir=workdir\fP +A directory used internally by fuse-overlays, must be on the same file system as the upper dir. .PP -\fB\-o uidmapping=UID:MAPPED\-UID:LEN[,UID2:MAPPED\-UID2:LEN2]\fP -\fB\-o gidmapping=GID:MAPPED\-GID:LEN[,GID2:MAPPED\-GID2:LEN2]\fP -Specifies the dynamic UID/GID mapping used by fuse\-overlayfs when +\fB-o uidmapping=UID:MAPPED-UID:LEN[,UID2:MAPPED-UID2:LEN2]\fP +\fB-o gidmapping=GID:MAPPED-GID:LEN[,GID2:MAPPED-GID2:LEN2]\fP +Specifies the dynamic UID/GID mapping used by fuse-overlayfs when reading/writing files to the system. .PP -The fuse\-overlayfs dynamic mapping is an alternative and cheaper way +The fuse-overlayfs dynamic mapping is an alternative and cheaper way to chown'ing the files on the host to accommodate the user namespace settings. @@ -62,13 +62,13 @@ without requiring to chown the files. For example, given on the host two files like: .PP -$ stat \-c %u:%g lower/a lower/b +$ stat -c %u:%g lower/a lower/b 0:0 1:1 .PP When we run in a user namespace with the following configuration: -$ cat /proc/self/uid\_map +$ cat /proc/self/uid_map 0 1000 1 1 110000 65536 @@ -76,7 +76,7 @@ $ cat /proc/self/uid\_map We would see: .PP -$ stat \-c %u:%g merged/a merged/b +$ stat -c %u:%g merged/a merged/b 65534:65534 65534:65534 @@ -86,13 +86,13 @@ user namespace. This happens because both users 0:0 and 1:1 are not mapped. .PP -In the above example, if we mount the fuse\-overlayfs file system using: -\fB\fC\-ouidmapping=0:1000:1:1:110000:65536,gidmapping=0:1000:1:1:110000:65536\fR, +In the above example, if we mount the fuse-overlayfs file system using: +\fB\fC-ouidmapping=0:1000:1:1:110000:65536,gidmapping=0:1000:1:1:110000:65536\fR, which is the namespace configuration specified on a single line, we'd see from the same user namespace: .PP -$ stat \-c %u:%g merged/a merged/b +$ stat -c %u:%g merged/a merged/b 0:0 1:1 @@ -100,20 +100,20 @@ $ stat \-c %u:%g merged/a merged/b Those are the same IDs visible from outside the user namespace. .PP -\fB\-o squash\_to\_root\fP +\fB-o squash_to_root\fP Every file and directory is owned by the root user (0:0). .PP -\fB\-o squash\_to\_uid=uid\fP -\fB\-o squash\_to\_gid=gid\fP +\fB-o squash_to_uid=uid\fP +\fB-o squash_to_gid=gid\fP Every file and directory is owned by the specified uid or gid. .PP -It has higher precedence over \fBsquash\_to\_root\fP\&. +It has higher precedence over \fBsquash_to_root\fP\&. .PP -\fB\-o static\_nlink\fP -Set st\_nlink to the static value 1 for all directories. +\fB-o static_nlink\fP +Set st_nlink to the static value 1 for all directories. .PP This can be useful for higher latency file systems such as NFS, where @@ -121,13 +121,17 @@ counting the number of hard links for a directory with many files can be a slow operation. With this option enabled, the number of hard links reported when running stat for any directory is 1. +.PP +\fB-o noacl\fP +Disable ACL support in the FUSE file system. + .SH SEE ALSO .PP -\fBfuse\fP(8), \fBmount\fP(8), \fBuser\_namespaces\fP(7) +\fBfuse\fP(8), \fBmount\fP(8), \fBuser_namespaces\fP(7) .SH AVAILABILITY .PP -The fuse\-overlayfs command is available from -\fBhttps://github.com/containers/fuse\-overlayfs\fP under GNU GENERAL PUBLIC LICENSE Version 3 or later. +The fuse-overlayfs command is available from +\fBhttps://github.com/containers/fuse-overlayfs\fP under GNU GENERAL PUBLIC LICENSE Version 3 or later. diff --git a/fuse-overlayfs.1.md b/fuse-overlayfs.1.md index 9c87a8f..c402209 100644 --- a/fuse-overlayfs.1.md +++ b/fuse-overlayfs.1.md @@ -97,6 +97,9 @@ counting the number of hard links for a directory with many files can be a slow operation. With this option enabled, the number of hard links reported when running stat for any directory is 1. +**-o noacl** +Disable ACL support in the FUSE file system. + # SEE ALSO **fuse**(8), **mount**(8), **user_namespaces**(7) diff --git a/fuse-overlayfs.h b/fuse-overlayfs.h index c660d15..27e29ab 100644 --- a/fuse-overlayfs.h +++ b/fuse-overlayfs.h @@ -92,6 +92,7 @@ struct ovl_data double timeout; int threaded; int fsync; + int noacl; int fast_ino_check; int writeback; int disable_xattrs; diff --git a/main.c b/main.c index 168233d..61872a1 100644 --- a/main.c +++ b/main.c @@ -227,6 +227,8 @@ static const struct fuse_opt ovl_opts[] = { offsetof (struct ovl_data, static_nlink), 1}, {"volatile", /* native overlay supports "volatile" to mean fsync=0. */ offsetof (struct ovl_data, fsync), 0}, + {"noacl", + offsetof (struct ovl_data, noacl), 1}, FUSE_OPT_END }; @@ -427,7 +429,7 @@ ovl_init (void *userdata, struct fuse_conn_info *conn) if ((conn->capable & FUSE_CAP_WRITEBACK_CACHE) == 0) lo->writeback = 0; - if (conn->capable & FUSE_CAP_POSIX_ACL) + if ((lo->noacl == 0) && (conn->capable & FUSE_CAP_POSIX_ACL)) conn->want |= FUSE_CAP_POSIX_ACL; conn->want |= FUSE_CAP_DONT_MASK | FUSE_CAP_SPLICE_READ | FUSE_CAP_SPLICE_WRITE | FUSE_CAP_SPLICE_MOVE; @@ -5515,6 +5517,7 @@ main (int argc, char *argv[]) .redirect_dir = NULL, .mountpoint = NULL, .fsync = 1, + .noacl = 0, .squash_to_uid = -1, .squash_to_gid = -1, .static_nlink = 0,