All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Mickaël Salaün" <mic@digikod.net>
To: Anton Ivanov <anton.ivanov@cambridgegreys.com>,
	Johannes Berg <johannes@sipsolutions.net>,
	Richard Weinberger <richard@nod.at>
Cc: "Mickaël Salaün" <mic@digikod.net>,
	"Christopher Obbard" <chris.obbard@collabora.com>,
	"Guenter Roeck" <groeck@chromium.org>,
	"Günther Noack" <gnoack3000@gmail.com>,
	"Jakub Kicinski" <kuba@kernel.org>,
	"James Morris" <jmorris@namei.org>, "Jeff Xu" <jeffxu@google.com>,
	"Kees Cook" <keescook@chromium.org>,
	"Paul Moore" <paul@paul-moore.com>,
	"Ritesh Raj Sarraf" <ritesh@collabora.com>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	"Shuah Khan" <skhan@linuxfoundation.org>,
	"Sjoerd Simons" <sjoerd@collabora.com>,
	"Willem de Bruijn" <willemb@google.com>,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [PATCH v1 0/5] Landlock support for UML
Date: Thu,  9 Mar 2023 17:54:50 +0100	[thread overview]
Message-ID: <20230309165455.175131-1-mic@digikod.net> (raw)

Hi,

Commit cb2c7d1a1776 ("landlock: Support filesystem access-control")
introduced a new ARCH_EPHEMERAL_INODES configuration, only enabled for
User-Mode Linux.  The reason was that UML's hostfs managed inodes in an
ephemeral way: from the kernel point of view, the same inode struct
could be created several times while being used by user space because
the kernel didn't hold references to inodes.  Because Landlock (and
probably other subsystems) ties properties (i.e. access rights) to inode
objects, it wasn't possible to create rules that match inodes and then
allow specific accesses.

This patch series fixes the way UML manages inodes according to the
underlying filesystem.  They are now properly handles as for other
filesystems, which enables to support Landlock (and probably other
features).

Backporting these patches requires some selftest harness patches
backports too.

Regards,

Mickaël Salaün (5):
  hostfs: Fix ephemeral inodes
  selftests/landlock: Don't create useless file layouts
  selftests/landlock: Add supports_filesystem() helper
  selftests/landlock: Make mounts configurable
  selftests/landlock: Add tests for pseudo filesystems

 arch/Kconfig                               |   7 -
 arch/um/Kconfig                            |   1 -
 fs/hostfs/hostfs.h                         |   1 +
 fs/hostfs/hostfs_kern.c                    | 213 ++++++------
 fs/hostfs/hostfs_user.c                    |   1 +
 security/landlock/Kconfig                  |   2 +-
 tools/testing/selftests/landlock/config    |   8 +-
 tools/testing/selftests/landlock/fs_test.c | 381 +++++++++++++++++++--
 8 files changed, 472 insertions(+), 142 deletions(-)


base-commit: fe15c26ee26efa11741a7b632e9f23b01aca4cc6
-- 
2.39.2


             reply	other threads:[~2023-03-09 17:01 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-09 16:54 Mickaël Salaün [this message]
2023-03-09 16:54 ` [PATCH v1 1/5] hostfs: Fix ephemeral inodes Mickaël Salaün
2023-05-21 21:13   ` Richard Weinberger
2023-05-26 16:40     ` Mickaël Salaün
2023-05-29 14:57       ` Mickaël Salaün
2023-06-05 20:06         ` Richard Weinberger
2023-06-06 13:12   ` Roberto Sassu
2023-06-12 15:14     ` Mickaël Salaün
2023-03-09 16:54 ` [PATCH v1 2/5] selftests/landlock: Don't create useless file layouts Mickaël Salaün
2023-03-09 16:54 ` [PATCH v1 3/5] selftests/landlock: Add supports_filesystem() helper Mickaël Salaün
2023-03-09 16:54 ` [PATCH v1 4/5] selftests/landlock: Make mounts configurable Mickaël Salaün
2023-03-09 16:54 ` [PATCH v1 5/5] selftests/landlock: Add tests for pseudo filesystems Mickaël Salaün
2023-03-21 21:18 ` [PATCH v1 0/5] Landlock support for UML Mickaël Salaün
2023-03-21 21:38   ` Richard Weinberger
2023-04-04 13:52     ` Mickaël Salaün
2023-05-04 16:01       ` Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230309165455.175131-1-mic@digikod.net \
    --to=mic@digikod.net \
    --cc=anton.ivanov@cambridgegreys.com \
    --cc=chris.obbard@collabora.com \
    --cc=gnoack3000@gmail.com \
    --cc=groeck@chromium.org \
    --cc=jeffxu@google.com \
    --cc=jmorris@namei.org \
    --cc=johannes@sipsolutions.net \
    --cc=keescook@chromium.org \
    --cc=kuba@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=richard@nod.at \
    --cc=ritesh@collabora.com \
    --cc=serge@hallyn.com \
    --cc=sjoerd@collabora.com \
    --cc=skhan@linuxfoundation.org \
    --cc=willemb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.