Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754707AbbGPLQv (ORCPT <rfc822;w@1wt.eu>);
	Thu, 16 Jul 2015 07:16:51 -0400
Received: from mailout1.w1.samsung.com ([210.118.77.11]:48457 "EHLO
	mailout1.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752224AbbGPLQt (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 16 Jul 2015 07:16:49 -0400
MIME-version: 1.0
Content-type: text/plain; charset=UTF-8
X-AuditID: cbfec7f4-f79c56d0000012ee-2c-55a7929df870
Content-transfer-encoding: 8BIT
Message-id: <1437045404.2207.5.camel@samsung.com>
Subject: Re: [PATCH 0/7] Initial support for user namespace owned mounts
From: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
        Casey Schaufler <casey@schaufler-ca.com>
Cc: Seth Forshee <seth.forshee@canonical.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org,
        selinux@tycho.nsa.gov, Serge Hallyn <serge.hallyn@canonical.com>,
        Andy Lutomirski <luto@amacapital.net>, linux-kernel@vger.kernel.org
Date: Thu, 16 Jul 2015 13:16:44 +0200
In-reply-to: <87vbdlf7vo.fsf@x220.int.ebiederm.org>
References: <1436989569-69582-1-git-send-email-seth.forshee@canonical.com>
 <55A6C448.5050902@schaufler-ca.com> <87vbdlf7vo.fsf@x220.int.ebiederm.org>
X-Mailer: Evolution 3.16.3 (3.16.3-2.fc22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrELMWRmVeSWpSXmKPExsVy+t/xa7pzJy0PNdh738ri3rZfbBb/t7Ww
	W+zZe5LF4vKuOWwWH3oesVmsXtvAajH5ySEWi3ONz1ks7p96zWJx/u9xVgcuj/tv/rJ4zGro
	ZfM4un8Rm8fW6f9ZPT5vkvOYcqidxWPTk7dMAexRXDYpqTmZZalF+nYJXBkf3z9nKpjLVXF7
	7gSmBsYWji5GTg4JAROJh8++sUPYYhIX7q1nA7GFBJYySuw7oAli8woISvyYfI+li5GDg1lA
	XuLIpWyQMLOAusSkeYuYuxi5gMo/M0pMOnyTDaLeUKL7435mkHphAQ+J84s0QMJsAgYS3y/s
	ZQaxRQSiJfYfWMgO0ssssIZJ4tj5HWD1LAKqEg/vqIHUcAoYSzxfDDN/OqNE/8kLrBB3akn0
	/Z7INoFRYBaS82YhnDcLyXkLGJlXMYqmliYXFCel5xrqFSfmFpfmpesl5+duYoTExJcdjIuP
	WR1iFOBgVOLh5fi9LFSINbGsuDL3EKMEB7OSCK94+/JQId6UxMqq1KL8+KLSnNTiQ4zSHCxK
	4rxzd70PERJITyxJzU5NLUgtgskycXBKNTDmFebqaR/q71Zvb1L+mjdB9NXh683hF3m/B5cq
	LP0b0npW3PVdxjUX7hn9JQyRCh2MZ982zG7a03A2V1Jyx9Hs7edPNp2ZPbtgReIJo2taYmJ/
	WCYI/iqU3lbq8c9DUmRF9e9aQ0thkRUab2fHrn3sHbgmSzG5ZOLaBRwTVRTFctR7J6m631Ni
	Kc5INNRiLipOBABMg+tahQIAAA==
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1519
Lines: 40

On śro, 2015-07-15 at 16:06 -0500, Eric W. Biederman wrote:
> 
> I am on the fence with Lukasz Pawelczyk's patches.  Some parts I 
> liked
> some parts I had issues with.  As I recall one of my issues was that
> those patches conflicted in detail if not in principle with this
> appropach.
> 
> If these patches do not do a good job of laying the ground work for
> supporting security labels that unprivileged users can set than Seth
> could really use some feedback.  Figuring out how to properly deal 
> with
> the LSMs has been one of his challenges.

I fail to see how those 2 are in any conflict. Smack namespace is just
a mean of limiting the view of Smack labels within user namespace, to
be able to give some limited capabilities to processes in the namespace
to make it possible to partially administer Smack there. It doesn't
change Smack behaviour or mode of operation in any way.

If your approach here is to treat user ns mounted filesystem as if they
didn't support xattrs at all then my patches don't conflict here any
more than Smack itself already does.

If the filesystem will get a default (e.g. by smack* mount options)
label then this label will co-work with Smack namespaces.


-- 
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/