From: Amir Goldstein <amir73il-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Stefan Berger
<stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
Cc: Miklos Szeredi <miklos-sUDqSbJrdHQHWmgEVkV9KA@public.gmane.org>,
lkp-JC7UmRfGjtg@public.gmane.org,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
xiaolong.ye-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Mimi Zohar
<zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
Subject: Re: [PATCH v4] Introduce v3 namespaced file capabilities
Date: Tue, 20 Jun 2017 22:56:59 +0300 [thread overview]
Message-ID: <CAOQ4uxhi06Yr4XRnKvy34MQhBPJ9GmG0GnyU6aKpb2rLb07sAg@mail.gmail.com> (raw)
In-Reply-To: <87dfaf3b-f466-9831-1c76-32d4cabd8cf6-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
On Tue, Jun 20, 2017 at 8:33 PM, Stefan Berger
<stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> wrote:
> On 06/20/2017 08:19 AM, Stefan Berger wrote:
>>
>> On 06/20/2017 01:42 AM, Amir Goldstein wrote:
>>>>
>>> Apropos stackable filesystems [cc some overlayfs folks], is there any
>>> way that parts of this work could be generalized towards ns aware
>>> trusted@uid.* xattr?
>>
>>
>> I am at least removing all string comparison with xattr names from the
>> core code and move the enabled xattr names into a list. For the security.*
>> extended attribute names we would enumerated the enabled ones in that list,
>> only security.capability for now. I am not sure how the trusted.* space
>> works.
>
>
> I extended 'the infrastructure' now to support prefix matching for trusted.*
> and probably others as well. It's fairly easy to do that but would not write
> the code like that for exact string matching to support security.capability.
> The patch lets me write trusted.foo@uid=100 from within the userns if
> uid=100 exists, rejects it otherwise. It may be written out as
> trusted.foo@uid=1100 for root mapping to uid 1000. I can list this entry on
> the host. For some reason trusted.* is not listed at all inside the userns.
> So something else needs to be enabled as well. For now it looks like this:
>
>
> https://github.com/stefanberger/linux/commit/8ae131e731c9e1def92a2100697632ea35e007d0
>
That looks useful!
I hope someone who knows his way around trusted xattr can say what's missing.
Thanks,
Amir.
WARNING: multiple messages have this Message-ID (diff)
From: Amir Goldstein <amir73il@gmail.com>
To: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Linux Containers <containers@lists.linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>,
xiaolong.ye@intel.com, lkp@01.org,
Vivek Goyal <vgoyal@redhat.com>,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [PATCH v4] Introduce v3 namespaced file capabilities
Date: Tue, 20 Jun 2017 22:56:59 +0300 [thread overview]
Message-ID: <CAOQ4uxhi06Yr4XRnKvy34MQhBPJ9GmG0GnyU6aKpb2rLb07sAg@mail.gmail.com> (raw)
In-Reply-To: <87dfaf3b-f466-9831-1c76-32d4cabd8cf6@linux.vnet.ibm.com>
On Tue, Jun 20, 2017 at 8:33 PM, Stefan Berger
<stefanb@linux.vnet.ibm.com> wrote:
> On 06/20/2017 08:19 AM, Stefan Berger wrote:
>>
>> On 06/20/2017 01:42 AM, Amir Goldstein wrote:
>>>>
>>> Apropos stackable filesystems [cc some overlayfs folks], is there any
>>> way that parts of this work could be generalized towards ns aware
>>> trusted@uid.* xattr?
>>
>>
>> I am at least removing all string comparison with xattr names from the
>> core code and move the enabled xattr names into a list. For the security.*
>> extended attribute names we would enumerated the enabled ones in that list,
>> only security.capability for now. I am not sure how the trusted.* space
>> works.
>
>
> I extended 'the infrastructure' now to support prefix matching for trusted.*
> and probably others as well. It's fairly easy to do that but would not write
> the code like that for exact string matching to support security.capability.
> The patch lets me write trusted.foo@uid=100 from within the userns if
> uid=100 exists, rejects it otherwise. It may be written out as
> trusted.foo@uid=1100 for root mapping to uid 1000. I can list this entry on
> the host. For some reason trusted.* is not listed at all inside the userns.
> So something else needs to be enabled as well. For now it looks like this:
>
>
> https://github.com/stefanberger/linux/commit/8ae131e731c9e1def92a2100697632ea35e007d0
>
That looks useful!
I hope someone who knows his way around trusted xattr can say what's missing.
Thanks,
Amir.
next prev parent reply other threads:[~2017-06-20 19:56 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-07 9:21 64fa03de33: BUG:Dentry_still_in_use kernel test robot
2017-05-07 9:21 ` kernel test robot
2017-05-07 9:21 ` kernel test robot
[not found] ` <20170507092105.GA67584-aQzoWfPLU1itqXYlAKuG4QC/G2K4zDHf@public.gmane.org>
2017-05-08 4:44 ` Serge E. Hallyn
2017-05-08 4:44 ` Serge E. Hallyn
[not found] ` <20170508044408.GA11400-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-05-08 11:47 ` Masami Ichikawa
2017-05-08 11:47 ` Masami Ichikawa
2017-05-08 15:49 ` Serge E. Hallyn
[not found] ` <CACOXgS9a=avAWZEre1Q1CGjSHeq78Pkq1fYfwPjiyEX-u=B5wQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-05-08 15:49 ` Serge E. Hallyn
2017-05-08 18:11 ` [PATCH v4] Introduce v3 namespaced file capabilities Serge E. Hallyn
2017-05-08 18:11 ` Serge E. Hallyn
[not found] ` <20170508181156.GA23112-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-05-09 16:55 ` Eric W. Biederman
2017-05-09 16:55 ` Eric W. Biederman
2017-05-09 16:55 ` Eric W. Biederman
[not found] ` <87a86mvuko.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-05-09 20:37 ` Serge E. Hallyn
2017-05-09 20:37 ` Serge E. Hallyn
[not found] ` <20170509203736.GB14900-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-05-09 22:27 ` Eric W. Biederman
2017-05-09 22:27 ` Eric W. Biederman
2017-05-09 22:27 ` Eric W. Biederman
2017-06-13 15:47 ` Stefan Berger
2017-06-13 15:47 ` Stefan Berger
2017-06-13 15:47 ` Stefan Berger
2017-06-13 17:14 ` Tycho Andersen
2017-06-13 17:42 ` Stefan Berger
2017-06-13 17:42 ` Stefan Berger
2017-06-13 17:42 ` Stefan Berger
[not found] ` <f7c51332-e405-f337-3938-ad93bab8f50d-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-06-13 20:51 ` Tycho Andersen via Containers
2017-06-13 20:51 ` Tycho Andersen
2017-06-13 17:45 ` James Bottomley
2017-06-13 17:45 ` James Bottomley
2017-06-13 17:45 ` James Bottomley
2017-06-13 20:46 ` Tycho Andersen
2017-06-13 20:49 ` Stefan Berger
2017-06-13 20:49 ` Stefan Berger
2017-06-13 20:49 ` Stefan Berger
2017-06-13 20:53 ` Tycho Andersen
2017-06-13 20:58 ` Stefan Berger
2017-06-13 20:58 ` Stefan Berger
2017-06-13 20:58 ` Stefan Berger
2017-06-13 20:59 ` Mimi Zohar
2017-06-13 20:59 ` Mimi Zohar
[not found] ` <1497387570.21594.427.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-06-13 21:09 ` Tycho Andersen via Containers
2017-06-13 21:09 ` Tycho Andersen
2017-06-13 20:59 ` Mimi Zohar
[not found] ` <8933bf11-7ca2-fa12-8d51-46d94d94a182-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-06-13 20:53 ` Tycho Andersen via Containers
[not found] ` <1497375902.7379.25.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2017-06-13 20:46 ` Tycho Andersen via Containers
2017-06-13 17:18 ` Serge E. Hallyn
2017-06-13 18:12 ` Stefan Berger
2017-06-13 18:12 ` Stefan Berger
2017-06-13 23:55 ` Serge E. Hallyn
[not found] ` <20170613235521.GC15685-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-06-14 12:27 ` Stefan Berger
2017-06-14 12:27 ` Stefan Berger
2017-06-14 12:27 ` Stefan Berger
[not found] ` <ce471b11-e76a-25f3-eae8-eca30e7233af-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-06-15 3:05 ` Serge E. Hallyn
2017-06-15 3:05 ` Serge E. Hallyn
2017-06-16 9:02 ` Christian Brauner
[not found] ` <20170615030543.GA8979-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-06-16 9:02 ` Christian Brauner
2017-06-16 22:24 ` Stefan Berger
2017-06-16 22:24 ` Stefan Berger
2017-06-16 22:24 ` Stefan Berger
2017-06-17 20:56 ` Stefan Berger
2017-06-17 20:56 ` Stefan Berger
2017-06-17 20:56 ` Stefan Berger
[not found] ` <f0df1914-bca2-31a0-cdba-df30d85d70b3-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-06-18 22:14 ` Serge E. Hallyn
2017-06-18 22:14 ` Serge E. Hallyn
[not found] ` <20170618221418.GA364-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-06-19 1:13 ` Stefan Berger
2017-06-19 1:13 ` Stefan Berger
2017-06-19 1:13 ` Stefan Berger
[not found] ` <e9720595-2cdc-4dd7-57e7-95b85896d4ac-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-06-19 13:05 ` Stefan Berger
2017-06-19 13:05 ` Stefan Berger
2017-06-19 13:05 ` Stefan Berger
2017-06-20 6:23 ` Serge E. Hallyn
2017-06-20 6:23 ` Serge E. Hallyn
2017-06-19 21:34 ` Eric W. Biederman
2017-06-19 21:34 ` Eric W. Biederman
2017-06-19 21:34 ` Eric W. Biederman
2017-06-20 5:42 ` Amir Goldstein
[not found] ` <CAOQ4uxhi5fezF7e9FpS=hHUb1LqzyCNq9BcG14RV_Srj1hS-Vw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-06-20 12:19 ` Stefan Berger
2017-06-20 12:19 ` Stefan Berger
2017-06-20 12:19 ` Stefan Berger
[not found] ` <645d3a5e-4b76-cc90-50d6-4a7a7c3b678c-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-06-20 17:33 ` Stefan Berger
2017-06-20 17:33 ` Stefan Berger
2017-06-20 17:33 ` Stefan Berger
[not found] ` <87dfaf3b-f466-9831-1c76-32d4cabd8cf6-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-06-20 19:56 ` Amir Goldstein [this message]
2017-06-20 19:56 ` Amir Goldstein
2017-06-20 19:57 ` Vivek Goyal
2017-06-20 19:57 ` Vivek Goyal
2017-06-20 19:57 ` Vivek Goyal
[not found] ` <87tw3boe5d.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-06-20 5:42 ` Amir Goldstein
[not found] ` <74e490f3-3c47-abfa-86ae-0fa0d1ddb43a-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-06-13 23:55 ` Serge E. Hallyn
[not found] ` <20170613171818.GA9070-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-06-13 18:12 ` Stefan Berger
[not found] ` <9f80188c-df03-066a-5dac-785cc711d064-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2017-06-13 17:14 ` Tycho Andersen via Containers
2017-06-13 17:18 ` Serge E. Hallyn
2017-06-13 23:42 ` Serge E. Hallyn
2017-06-13 23:42 ` Serge E. Hallyn
[not found] ` <20170613234214.GA15685-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-06-13 23:50 ` Serge E. Hallyn
2017-06-13 23:50 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOQ4uxhi06Yr4XRnKvy34MQhBPJ9GmG0GnyU6aKpb2rLb07sAg@mail.gmail.com \
--to=amir73il-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=lkp-JC7UmRfGjtg@public.gmane.org \
--cc=miklos-sUDqSbJrdHQHWmgEVkV9KA@public.gmane.org \
--cc=stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
--cc=xiaolong.ye-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.