Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752117AbdFTT5C (ORCPT ); Tue, 20 Jun 2017 15:57:02 -0400 Received: from mail-ot0-f193.google.com ([74.125.82.193]:34998 "EHLO mail-ot0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751029AbdFTT5A (ORCPT ); Tue, 20 Jun 2017 15:57:00 -0400 MIME-Version: 1.0 In-Reply-To: <87dfaf3b-f466-9831-1c76-32d4cabd8cf6@linux.vnet.ibm.com> References: <20170508044408.GA11400@mail.hallyn.com> <20170508181156.GA23112@mail.hallyn.com> <9f80188c-df03-066a-5dac-785cc711d064@linux.vnet.ibm.com> <20170613171818.GA9070@mail.hallyn.com> <74e490f3-3c47-abfa-86ae-0fa0d1ddb43a@linux.vnet.ibm.com> <20170613235521.GC15685@mail.hallyn.com> <20170615030543.GA8979@mail.hallyn.com> <20170618221418.GA364@mail.hallyn.com> <87tw3boe5d.fsf@xmission.com> <645d3a5e-4b76-cc90-50d6-4a7a7c3b678c@linux.vnet.ibm.com> <87dfaf3b-f466-9831-1c76-32d4cabd8cf6@linux.vnet.ibm.com> From: Amir Goldstein Date: Tue, 20 Jun 2017 22:56:59 +0300 Message-ID: Subject: Re: [PATCH v4] Introduce v3 namespaced file capabilities To: Stefan Berger Cc: "Eric W. Biederman" , "Serge E. Hallyn" , Mimi Zohar , Linux Containers , LKML , xiaolong.ye@intel.com, lkp@01.org, Vivek Goyal , Miklos Szeredi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1497 Lines: 37 On Tue, Jun 20, 2017 at 8:33 PM, Stefan Berger wrote: > On 06/20/2017 08:19 AM, Stefan Berger wrote: >> >> On 06/20/2017 01:42 AM, Amir Goldstein wrote: >>>> >>> Apropos stackable filesystems [cc some overlayfs folks], is there any >>> way that parts of this work could be generalized towards ns aware >>> trusted@uid.* xattr? >> >> >> I am at least removing all string comparison with xattr names from the >> core code and move the enabled xattr names into a list. For the security.* >> extended attribute names we would enumerated the enabled ones in that list, >> only security.capability for now. I am not sure how the trusted.* space >> works. > > > I extended 'the infrastructure' now to support prefix matching for trusted.* > and probably others as well. It's fairly easy to do that but would not write > the code like that for exact string matching to support security.capability. > The patch lets me write trusted.foo@uid=100 from within the userns if > uid=100 exists, rejects it otherwise. It may be written out as > trusted.foo@uid=1100 for root mapping to uid 1000. I can list this entry on > the host. For some reason trusted.* is not listed at all inside the userns. > So something else needs to be enabled as well. For now it looks like this: > > > https://github.com/stefanberger/linux/commit/8ae131e731c9e1def92a2100697632ea35e007d0 > That looks useful! I hope someone who knows his way around trusted xattr can say what's missing. Thanks, Amir.