Bug 2138321

Summary: [Regression] The NFS v4 server won't return failure when failing to set ACLs
Product: Red Hat Enterprise Linux 9 Reporter: Yongcheng Yang <yoyang>
Component: kernelAssignee: Jeff Layton <jlayton>
kernel sub component: NFS QA Contact: Yongcheng Yang <yoyang>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: ajmitchell, jlayton, xzhou, yieli
Version: 9.2Keywords: Regression, Triaged
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-5.14.0-239.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:05:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yongcheng Yang 2022-10-28 06:05:38 UTC 
Description of problem:
Since kernel-5.14.0-178.el9 we have a new failure when testing the NFSv4 ACLs.
The test scenario is that user tries to set ACLs to file which he doesn't have permission. And it should be failed as before. But now looks like the NFS v4 server won't return failure when it actually fails to set that ACLs.

Version-Release number of selected component (if applicable):
since kernel 5.14.0-178.el9

How reproducible:
always

Steps to Reproduce:
1. Try to `nfs4_setfacl` a file but don't have permission to do that.
2.
3.

Actual results:
https://beaker.engineering.redhat.com/jobs/7175603 (in kernel-5.14.0-178.el9)
---
[09:25:26 root@ ~~]# nfsstat -m
/mnt/nfsmp-user_permission_check from fsqe-r640-02.fs.lab.eng.bos.redhat.com:/exportdir-user_permission_check
 Flags:	rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.16.56.10,local_lock=none,addr=10.16.224.250

[09:25:26 root@ ~~]# su alice -c 'touch /mnt/nfsmp-user_permission_check/testfile_alice'
[09:25:26 root@ ~~]# ls -l /mnt/nfsmp-user_permission_check/testfile_alice
-rw-r--r--. 1 alice alice 0 Oct 27 09:25 /mnt/nfsmp-user_permission_check/testfile_alice
[09:25:26 root@ ~~]# nfs4_getfacl /mnt/nfsmp-user_permission_check/testfile_alice

# file: /mnt/nfsmp-user_permission_check/testfile_alice
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A::EVERYONE@:rtcy
{Info} Try to set the ACL by another user, should be failed.
[09:25:26 root@ ~~]# su bob -c 'nfs4_setfacl -a "A::1002:rwaDxtTcCy" /mnt/nfsmp-user_permission_check/testfile_alice'
^^^^^^^^^^^^^^^ [   FAIL   ] :: Only the owner of a file should be able to set its ACL. (Expected 1-255, got 0)
[09:25:26 root@ ~~]# nfs4_getfacl /mnt/nfsmp-user_permission_check/testfile_alice

# file: /mnt/nfsmp-user_permission_check/testfile_alice
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A::EVERYONE@:rtcy


Expected results:
https://beaker.engineering.redhat.com/jobs/7179170 (with kernel-5.14.0-177.el9)
---
[01:09:51 root@ ~~]# su bob -c 'nfs4_setfacl -a "A::1002:rwaDxtTcCy" /mnt/nfsmp-user_permission_check/testfile_alice'
Failed setxattr operation: Operation not permitted


Additional info:
We have just updated a lot of NFS patches in Bug 2094072 and maybe those ACL updates matters:
[yoyang@yoyang-vm kernel-rhel9]$ git lo kernel-5.14.0-178.el9...kernel-5.14.0-177.el9 | grep -i acl
 5ada9b19fb98 NFSD: fix regression with setting ACLs.
 be0d61202bbd NFSD: add posix ACLs to struct nfsd_attrs
Comment 1 Yongcheng Yang 2022-10-28 06:08:08 UTC 
(In reply to Yongcheng Yang from comment #0)
> ... 
> Additional info:
> We have just updated a lot of NFS patches in Bug 2094072 and maybe those ACL updates matters:
> [yoyang@yoyang-vm kernel-rhel9]$ git lo
> kernel-5.14.0-178.el9...kernel-5.14.0-177.el9 | grep -i acl
>  5ada9b19fb98 NFSD: fix regression with setting ACLs.
>  be0d61202bbd NFSD: add posix ACLs to struct nfsd_attrs

And for now the upstream kernel (6.1.0-rc2+) also has this problem.
Comment 2 Jeff Layton 2022-11-07 11:56:37 UTC 
Making this bug public since there isn't any proprietary info here.
Comment 3 Jeff Layton 2022-11-07 12:01:54 UTC 
Patch posted upstream:

https://lore.kernel.org/linux-nfs/20221107115841.26380-1-jlayton@kernel.org/T/#u
Comment 6 Jeff Layton 2022-11-10 20:52:16 UTC 
Moving back to ASSIGNED as we need to wait for the patches to hit mainline.
Comment 24 Yongcheng Yang 2023-01-26 11:39:57 UTC 
Have just verified this issue in kernel 5.14.0-239.el9:
https://beaker.engineering.redhat.com/jobs/7468311
Comment 26 errata-xmlrpc 2023-05-09 08:05:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2458