Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752854AbdGMVVO (ORCPT <rfc822;w@1wt.eu>);
        Thu, 13 Jul 2017 17:21:14 -0400
Received: from h2.hallyn.com ([78.46.35.8]:37414 "EHLO h2.hallyn.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752760AbdGMVVN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Jul 2017 17:21:13 -0400
Date: Thu, 13 Jul 2017 16:21:11 -0500
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
        "Theodore Ts'o" <tytso@mit.edu>, "Serge E. Hallyn" <serge@hallyn.com>,
        containers@lists.linux-foundation.org, lkp@01.org,
        linux-kernel@vger.kernel.org, zohar@linux.vnet.ibm.com,
        tycho@docker.com, James.Bottomley@HansenPartnership.com,
        vgoyal@redhat.com, christian.brauner@mailbox.org, amir73il@gmail.com,
        linux-security-module@vger.kernel.org, casey@schaufler-ca.com
Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces
Message-ID: <20170713212111.GC6167@mail.hallyn.com>
References: <1499785511-17192-2-git-send-email-stefanb@linux.vnet.ibm.com>
 <87mv89iy7q.fsf@xmission.com>
 <20170712170346.GA17974@mail.hallyn.com>
 <877ezdgsey.fsf@xmission.com>
 <74664cc8-bc3e-75d6-5892-f8934404349f@linux.vnet.ibm.com>
 <20170713011554.xwmrgkzfwnibvgcu@thunk.org>
 <87y3rscz9j.fsf@xmission.com>
 <20170713164012.brj2flnkaaks2oci@thunk.org>
 <87k23cb6os.fsf@xmission.com>
 <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 660
Lines: 21

Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):
> For virtualizing the xattrs on the 'value' side I was looking for
> whether there's something like a 'wrapper' structure around the
> actual value of the xattr so that that wrapper could be extended to
> support different values at different uids and applied to any xattr.
> Unfortunately there's no such 'wrapper'.

I believe my very first implementation did essentially this - it used
the not uncommon structure of (mostly making this up):

struct ns_vfs_cap {
	int magic;
	int ncaps;
	struct ns_vfs_cap_data data[0];
};

with (ncaps * sizeof(ns_vfs_cap_data)) following that.

I didn't like it.

-serge