Hi Jan Kara,

Hope you‘ve recovered physically. :)

I've pushed the version 11 patches which still disallow the ownder of
a file to change its project ID. I will remove this limit in the
coming verion 12 patches.

On Wed, Apr 1, 2015 at 3:20 PM, Jan Kara [off-list ref] wrote:

On Fri 20-03-15 21:24:07, Li Xi wrote:

quoted

On Thu, Mar 19, 2015 at 5:56 PM, Jan Kara [off-list ref] wrote:

quoted

On Thu 19-03-15 04:04:56, Li Xi wrote:

quoted

This patch adds FS_IOC_FSSETXATTR/FS_IOC_FSGETXATTR ioctl interface
support for ext4. The interface is kept consistent with
XFS_IOC_FSGETXATTR/XFS_IOC_FSGETXATTR.

  Two more comments below.

quoted

Signed-off-by: Li Xi <redacted>

...

quoted

+static int ext4_ioctl_setproject(struct file *filp, __u32 projid)
+{
+     struct inode *inode = file_inode(filp);
+     struct super_block *sb = inode->i_sb;
+     struct ext4_inode_info *ei = EXT4_I(inode);
+     int err;
+     handle_t *handle;
+     kprojid_t kprojid;
+     struct ext4_iloc iloc;
+     struct ext4_inode *raw_inode;
+
+     struct dquot *transfer_to[EXT4_MAXQUOTAS] = { };
+
+     /* Make sure caller can change project. */
+     if (!capable(CAP_SYS_ADMIN))
+             return -EACCES;

  Why do you test capabilities here when you already test permission in
EXT4_IOC_FSSETXATTR? Furthermore this test is too restrictive. Just delete
it.

It seems we need this restrictive permission. Otherwise the owner of the file
can change the project ID to any other project. That means, the owner can
walk around the quota limit whenever he/she wants. But I agree checking
permission twice is not good.

  Sorry for a late reply but I was catching up with stuff after a
conference and then got ill. So I agree that owner of a file can escape
project quota limit whenever he/she wants by setting project to something
else. Sadly that's how project quota has been originally designed and how
it works in XFS for years. So we should start with being compatible with
this behavior.

Konstantin has in his patches patch "fs: protected project id" which
creates a sysctl which controls whether or not owner is able to set
arbitrary project id. That is one way to improve the situation so that
project quotas are usable also in situations where setting project quotas
to any project by file owner is undesirable. Christoph also had an idea
that we could allow owner to set project to anything when current project
is unset (0). Once project is set, only CAP_SYS_ADMIN (maybe better
capability would be CAP_CHOWN actually) process can change it. We can
discuss how to change the current XFS model to suit new usecases but IMHO
we should start the way XFS is...

                                                                Honza
--
Jan Kara [off-list ref]
SUSE Labs, CR

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html