From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752846AbdGNAqg (ORCPT <rfc822;w@1wt.eu>);
        Thu, 13 Jul 2017 20:46:36 -0400
Received: from out01.mta.xmission.com ([166.70.13.231]:48471 "EHLO
        out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751828AbdGNAqd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Jul 2017 20:46:33 -0400
From: ebiederm@xmission.com (Eric W. Biederman)
To: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: "Theodore Ts'o" <tytso@mit.edu>, "Serge E. Hallyn" <serge@hallyn.com>,
        containers@lists.linux-foundation.org, lkp@01.org,
        linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com,
        tycho@docker.com, James.Bottomley@HansenPartnership.com,
        vgoyal@redhat.com, christian.brauner@mailbox.org, amir73il@gmail.com,
        linux-security-module@vger.kernel.org, casey@schaufler-ca.com
References: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com>
        <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com>
        <87mv89iy7q.fsf@xmission.com> <20170712170346.GA17974@mail.hallyn.com>
        <877ezdgsey.fsf@xmission.com>
        <74664cc8-bc3e-75d6-5892-f8934404349f@linux.vnet.ibm.com>
        <20170713011554.xwmrgkzfwnibvgcu@thunk.org>
        <87y3rscz9j.fsf@xmission.com>
        <20170713164012.brj2flnkaaks2oci@thunk.org>
        <87k23cb6os.fsf@xmission.com>
        <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com>
        <87bmoo8bxb.fsf@xmission.com>
        <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com>
Date: Thu, 13 Jul 2017 19:38:30 -0500
In-Reply-To: <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com> (Stefan
        Berger's message of "Thu, 13 Jul 2017 17:35:22 -0400")
Message-ID: <87h8yf7szd.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1dVokT-0006cv-3H;;;mid=<87h8yf7szd.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=67.3.213.87;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1/kjlVI2nzKschsLlkxs0ex0AQ6di6deIE=
X-SA-Exim-Connect-IP: 67.3.213.87
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.7 XMSubLong Long Subject
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4982]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;Stefan Berger <stefanb@linux.vnet.ibm.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 5840 ms - load_scoreonly_sql: 0.03 (0.0%),
        signal_user_changed: 2.5 (0.0%), b_tie_ro: 1.75 (0.0%), parse: 0.74 (0.0%),
        extract_message_metadata: 13 (0.2%), get_uri_detail_list: 0.99 (0.0%),
        tests_pri_-1000: 5 (0.1%), tests_pri_-950: 1.12 (0.0%), tests_pri_-900: 0.97
        (0.0%), tests_pri_-400: 17 (0.3%), check_bayes: 16 (0.3%), b_tokenize: 5
        (0.1%), b_tok_get_all: 5 (0.1%), b_comp_prob: 1.48 (0.0%), b_tok_touch_all:
        2.5 (0.0%), b_finish: 0.54 (0.0%), tests_pri_0: 125 (2.1%),
        check_dkim_signature: 0.44 (0.0%), check_dkim_adsp: 2.6 (0.0%),
        tests_pri_500: 5672 (97.1%), poll_dns_idle: 5661 (96.9%), rewrite_mail: 0.00
        (0.0%)
Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Stefan Berger <stefanb@linux.vnet.ibm.com> writes:

> On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
>
> > My big question right now is can you implement Ted's suggested
> > restriction.  Only one security.foo or secuirty.foo@... attribute ?

> We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done.
>
> So now you want to allow security.foo and one security.foo@uid=<> or just a single one security.foo(@[[:print:]]*)?
>

The latter.

Eric

From mboxrd@z Thu Jan  1 00:00:00 1970
From: ebiederm@xmission.com (Eric W. Biederman)
Date: Thu, 13 Jul 2017 19:38:30 -0500
Subject: [PATCH v2] xattr: Enable security.capability in user namespaces
In-Reply-To: <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com> (Stefan
	Berger's message of "Thu, 13 Jul 2017 17:35:22 -0400")
References: <1499785511-17192-1-git-send-email-stefanb@linux.vnet.ibm.com>
	<1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com>
	<87mv89iy7q.fsf@xmission.com> <20170712170346.GA17974@mail.hallyn.com>
	<877ezdgsey.fsf@xmission.com>
	<74664cc8-bc3e-75d6-5892-f8934404349f@linux.vnet.ibm.com>
	<20170713011554.xwmrgkzfwnibvgcu@thunk.org>
	<87y3rscz9j.fsf@xmission.com>
	<20170713164012.brj2flnkaaks2oci@thunk.org>
	<87k23cb6os.fsf@xmission.com>
	<847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com>
	<87bmoo8bxb.fsf@xmission.com>
	<9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com>
Message-ID: <87h8yf7szd.fsf@xmission.com>
To: linux-security-module@vger.kernel.org
List-Id: linux-security-module.vger.kernel.org

Stefan Berger <stefanb@linux.vnet.ibm.com> writes:

> On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
>
> > My big question right now is can you implement Ted's suggested
> > restriction.  Only one security.foo or secuirty.foo at ... attribute ?

> We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done.
>
> So now you want to allow security.foo and one security.foo at uid=<> or just a single one security.foo(@[[:print:]]*)?
>

The latter.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: multipart/mixed; boundary="===============6969923138613723628=="
MIME-Version: 1.0
From: Eric W. Biederman <ebiederm@xmission.com>
To: lkp@lists.01.org
Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces
Date: Thu, 13 Jul 2017 19:38:30 -0500
Message-ID: <87h8yf7szd.fsf@xmission.com>
In-Reply-To: <9a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com>
List-Id: <oe-lkp.lists.linux.dev>

--===============6969923138613723628==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Stefan Berger <stefanb@linux.vnet.ibm.com> writes:

> On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
>
> > My big question right now is can you implement Ted's suggested
> > restriction.  Only one security.foo or secuirty.foo(a)... attribute ?

> We need to raw-list the xattrs and do the check before writing them. I am=
 fairly sure this can be done.
>
> So now you want to allow security.foo and one security.foo(a)uid=3D<> or =
just a single one security.foo(@[[:print:]]*)?
>

The latter.

Eric

--===============6969923138613723628==--