From: Amir Goldstein <amir73il-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> To: Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> Cc: Miklos Szeredi <miklos-sUDqSbJrdHQHWmgEVkV9KA@public.gmane.org>, lkp-JC7UmRfGjtg@public.gmane.org, Linux Containers <containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>, LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, xiaolong.ye-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org, "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>, Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> Subject: Re: [PATCH v4] Introduce v3 namespaced file capabilities Date: Tue, 20 Jun 2017 22:56:59 +0300 [thread overview] Message-ID: <CAOQ4uxhi06Yr4XRnKvy34MQhBPJ9GmG0GnyU6aKpb2rLb07sAg@mail.gmail.com> (raw) In-Reply-To: <87dfaf3b-f466-9831-1c76-32d4cabd8cf6-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> On Tue, Jun 20, 2017 at 8:33 PM, Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> wrote: > On 06/20/2017 08:19 AM, Stefan Berger wrote: >> >> On 06/20/2017 01:42 AM, Amir Goldstein wrote: >>>> >>> Apropos stackable filesystems [cc some overlayfs folks], is there any >>> way that parts of this work could be generalized towards ns aware >>> trusted@uid.* xattr? >> >> >> I am at least removing all string comparison with xattr names from the >> core code and move the enabled xattr names into a list. For the security.* >> extended attribute names we would enumerated the enabled ones in that list, >> only security.capability for now. I am not sure how the trusted.* space >> works. > > > I extended 'the infrastructure' now to support prefix matching for trusted.* > and probably others as well. It's fairly easy to do that but would not write > the code like that for exact string matching to support security.capability. > The patch lets me write trusted.foo@uid=100 from within the userns if > uid=100 exists, rejects it otherwise. It may be written out as > trusted.foo@uid=1100 for root mapping to uid 1000. I can list this entry on > the host. For some reason trusted.* is not listed at all inside the userns. > So something else needs to be enabled as well. For now it looks like this: > > > https://github.com/stefanberger/linux/commit/8ae131e731c9e1def92a2100697632ea35e007d0 > That looks useful! I hope someone who knows his way around trusted xattr can say what's missing. Thanks, Amir.
WARNING: multiple messages have this Message-ID (diff)
From: Amir Goldstein <amir73il@gmail.com> To: Stefan Berger <stefanb@linux.vnet.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com>, "Serge E. Hallyn" <serge@hallyn.com>, Mimi Zohar <zohar@linux.vnet.ibm.com>, Linux Containers <containers@lists.linux-foundation.org>, LKML <linux-kernel@vger.kernel.org>, xiaolong.ye@intel.com, lkp@01.org, Vivek Goyal <vgoyal@redhat.com>, Miklos Szeredi <miklos@szeredi.hu> Subject: Re: [PATCH v4] Introduce v3 namespaced file capabilities Date: Tue, 20 Jun 2017 22:56:59 +0300 [thread overview] Message-ID: <CAOQ4uxhi06Yr4XRnKvy34MQhBPJ9GmG0GnyU6aKpb2rLb07sAg@mail.gmail.com> (raw) In-Reply-To: <87dfaf3b-f466-9831-1c76-32d4cabd8cf6@linux.vnet.ibm.com> On Tue, Jun 20, 2017 at 8:33 PM, Stefan Berger <stefanb@linux.vnet.ibm.com> wrote: > On 06/20/2017 08:19 AM, Stefan Berger wrote: >> >> On 06/20/2017 01:42 AM, Amir Goldstein wrote: >>>> >>> Apropos stackable filesystems [cc some overlayfs folks], is there any >>> way that parts of this work could be generalized towards ns aware >>> trusted@uid.* xattr? >> >> >> I am at least removing all string comparison with xattr names from the >> core code and move the enabled xattr names into a list. For the security.* >> extended attribute names we would enumerated the enabled ones in that list, >> only security.capability for now. I am not sure how the trusted.* space >> works. > > > I extended 'the infrastructure' now to support prefix matching for trusted.* > and probably others as well. It's fairly easy to do that but would not write > the code like that for exact string matching to support security.capability. > The patch lets me write trusted.foo@uid=100 from within the userns if > uid=100 exists, rejects it otherwise. It may be written out as > trusted.foo@uid=1100 for root mapping to uid 1000. I can list this entry on > the host. For some reason trusted.* is not listed at all inside the userns. > So something else needs to be enabled as well. For now it looks like this: > > > https://github.com/stefanberger/linux/commit/8ae131e731c9e1def92a2100697632ea35e007d0 > That looks useful! I hope someone who knows his way around trusted xattr can say what's missing. Thanks, Amir.
next prev parent reply other threads:[~2017-06-20 19:56 UTC|newest] Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-05-07 9:21 64fa03de33: BUG:Dentry_still_in_use kernel test robot 2017-05-07 9:21 ` kernel test robot 2017-05-07 9:21 ` kernel test robot [not found] ` <20170507092105.GA67584-aQzoWfPLU1itqXYlAKuG4QC/G2K4zDHf@public.gmane.org> 2017-05-08 4:44 ` Serge E. Hallyn 2017-05-08 4:44 ` Serge E. Hallyn [not found] ` <20170508044408.GA11400-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2017-05-08 11:47 ` Masami Ichikawa 2017-05-08 11:47 ` Masami Ichikawa 2017-05-08 15:49 ` Serge E. Hallyn [not found] ` <CACOXgS9a=avAWZEre1Q1CGjSHeq78Pkq1fYfwPjiyEX-u=B5wQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2017-05-08 15:49 ` Serge E. Hallyn 2017-05-08 18:11 ` [PATCH v4] Introduce v3 namespaced file capabilities Serge E. Hallyn 2017-05-08 18:11 ` Serge E. Hallyn [not found] ` <20170508181156.GA23112-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2017-05-09 16:55 ` Eric W. Biederman 2017-05-09 16:55 ` Eric W. Biederman 2017-05-09 16:55 ` Eric W. Biederman [not found] ` <87a86mvuko.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> 2017-05-09 20:37 ` Serge E. Hallyn 2017-05-09 20:37 ` Serge E. Hallyn [not found] ` <20170509203736.GB14900-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2017-05-09 22:27 ` Eric W. Biederman 2017-05-09 22:27 ` Eric W. Biederman 2017-05-09 22:27 ` Eric W. Biederman 2017-06-13 15:47 ` Stefan Berger 2017-06-13 15:47 ` Stefan Berger 2017-06-13 15:47 ` Stefan Berger 2017-06-13 17:14 ` Tycho Andersen 2017-06-13 17:42 ` Stefan Berger 2017-06-13 17:42 ` Stefan Berger 2017-06-13 17:42 ` Stefan Berger [not found] ` <f7c51332-e405-f337-3938-ad93bab8f50d-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2017-06-13 20:51 ` Tycho Andersen via Containers 2017-06-13 20:51 ` Tycho Andersen 2017-06-13 17:45 ` James Bottomley 2017-06-13 17:45 ` James Bottomley 2017-06-13 17:45 ` James Bottomley 2017-06-13 20:46 ` Tycho Andersen 2017-06-13 20:49 ` Stefan Berger 2017-06-13 20:49 ` Stefan Berger 2017-06-13 20:49 ` Stefan Berger 2017-06-13 20:53 ` Tycho Andersen 2017-06-13 20:58 ` Stefan Berger 2017-06-13 20:58 ` Stefan Berger 2017-06-13 20:58 ` Stefan Berger 2017-06-13 20:59 ` Mimi Zohar 2017-06-13 20:59 ` Mimi Zohar [not found] ` <1497387570.21594.427.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2017-06-13 21:09 ` Tycho Andersen via Containers 2017-06-13 21:09 ` Tycho Andersen 2017-06-13 20:59 ` Mimi Zohar [not found] ` <8933bf11-7ca2-fa12-8d51-46d94d94a182-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2017-06-13 20:53 ` Tycho Andersen via Containers [not found] ` <1497375902.7379.25.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org> 2017-06-13 20:46 ` Tycho Andersen via Containers 2017-06-13 17:18 ` Serge E. Hallyn 2017-06-13 18:12 ` Stefan Berger 2017-06-13 18:12 ` Stefan Berger 2017-06-13 23:55 ` Serge E. Hallyn [not found] ` <20170613235521.GC15685-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2017-06-14 12:27 ` Stefan Berger 2017-06-14 12:27 ` Stefan Berger 2017-06-14 12:27 ` Stefan Berger [not found] ` <ce471b11-e76a-25f3-eae8-eca30e7233af-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2017-06-15 3:05 ` Serge E. Hallyn 2017-06-15 3:05 ` Serge E. Hallyn 2017-06-16 9:02 ` Christian Brauner [not found] ` <20170615030543.GA8979-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2017-06-16 9:02 ` Christian Brauner 2017-06-16 22:24 ` Stefan Berger 2017-06-16 22:24 ` Stefan Berger 2017-06-16 22:24 ` Stefan Berger 2017-06-17 20:56 ` Stefan Berger 2017-06-17 20:56 ` Stefan Berger 2017-06-17 20:56 ` Stefan Berger [not found] ` <f0df1914-bca2-31a0-cdba-df30d85d70b3-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2017-06-18 22:14 ` Serge E. Hallyn 2017-06-18 22:14 ` Serge E. Hallyn [not found] ` <20170618221418.GA364-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2017-06-19 1:13 ` Stefan Berger 2017-06-19 1:13 ` Stefan Berger 2017-06-19 1:13 ` Stefan Berger [not found] ` <e9720595-2cdc-4dd7-57e7-95b85896d4ac-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2017-06-19 13:05 ` Stefan Berger 2017-06-19 13:05 ` Stefan Berger 2017-06-19 13:05 ` Stefan Berger 2017-06-20 6:23 ` Serge E. Hallyn 2017-06-20 6:23 ` Serge E. Hallyn 2017-06-19 21:34 ` Eric W. Biederman 2017-06-19 21:34 ` Eric W. Biederman 2017-06-19 21:34 ` Eric W. Biederman 2017-06-20 5:42 ` Amir Goldstein [not found] ` <CAOQ4uxhi5fezF7e9FpS=hHUb1LqzyCNq9BcG14RV_Srj1hS-Vw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2017-06-20 12:19 ` Stefan Berger 2017-06-20 12:19 ` Stefan Berger 2017-06-20 12:19 ` Stefan Berger [not found] ` <645d3a5e-4b76-cc90-50d6-4a7a7c3b678c-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2017-06-20 17:33 ` Stefan Berger 2017-06-20 17:33 ` Stefan Berger 2017-06-20 17:33 ` Stefan Berger [not found] ` <87dfaf3b-f466-9831-1c76-32d4cabd8cf6-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2017-06-20 19:56 ` Amir Goldstein [this message] 2017-06-20 19:56 ` Amir Goldstein 2017-06-20 19:57 ` Vivek Goyal 2017-06-20 19:57 ` Vivek Goyal 2017-06-20 19:57 ` Vivek Goyal [not found] ` <87tw3boe5d.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> 2017-06-20 5:42 ` Amir Goldstein [not found] ` <74e490f3-3c47-abfa-86ae-0fa0d1ddb43a-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2017-06-13 23:55 ` Serge E. Hallyn [not found] ` <20170613171818.GA9070-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2017-06-13 18:12 ` Stefan Berger [not found] ` <9f80188c-df03-066a-5dac-785cc711d064-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> 2017-06-13 17:14 ` Tycho Andersen via Containers 2017-06-13 17:18 ` Serge E. Hallyn 2017-06-13 23:42 ` Serge E. Hallyn 2017-06-13 23:42 ` Serge E. Hallyn [not found] ` <20170613234214.GA15685-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org> 2017-06-13 23:50 ` Serge E. Hallyn 2017-06-13 23:50 ` Serge E. Hallyn
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAOQ4uxhi06Yr4XRnKvy34MQhBPJ9GmG0GnyU6aKpb2rLb07sAg@mail.gmail.com \ --to=amir73il-re5jqeeqqe8avxtiumwx3w@public.gmane.org \ --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \ --cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \ --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=lkp-JC7UmRfGjtg@public.gmane.org \ --cc=miklos-sUDqSbJrdHQHWmgEVkV9KA@public.gmane.org \ --cc=stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \ --cc=xiaolong.ye-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \ --cc=zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.