diff for duplicates of <1501008554.3689.30.camel@HansenPartnership.com> diff --git a/a/1.txt b/N1/1.txt index cfec11f..435efea 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -3,7 +3,7 @@ On Tue, 2017-07-25 at 12:53 -0500, Serge E. Hallyn wrote: > > > > From: Yuqiong Sun <suny@us.ibm.com> > > -> > Add new CONFIG_IMA_NS config option.??Let clone() create a new IMA +> > Add new CONFIG_IMA_NS config option. Let clone() create a new IMA > > namespace upon CLONE_NEWNS flag. Add ima_ns data structure in > > nsproxy. > > ima_ns is allocated and freed upon IMA namespace creation and exit. @@ -20,19 +20,14 @@ On Tue, 2017-07-25 at 12:53 -0500, Serge E. Hallyn wrote: > Hi, > > So this means that every mount namespace clone will clone a new IMA -> namespace.??Is that really ok? +> namespace. Is that really ok? Based on what: space concerns (struct ima_ns is reasonably small)? or -whether tying it to the mount namespace is the correct thing to do. ?On +whether tying it to the mount namespace is the correct thing to do. On the latter, it does seem that this should be a property of either the -mount or user ns rather than its own separate ns. ?I could see a use +mount or user ns rather than its own separate ns. I could see a use where even a container might want multiple ima keyrings within the container (say containerised apache service with multiple tenants), so instinct tells me that mount ns is the correct granularity for this. James - --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 61cf0ac..f5b5b6a 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,10 +1,19 @@ "ref\020170720225033.21298-1-mkayaalp@linux.vnet.ibm.com\0" "ref\020170720225033.21298-2-mkayaalp@linux.vnet.ibm.com\0" "ref\020170725175317.GA727@mail.hallyn.com\0" - "From\0James.Bottomley@hansenpartnership.com (James Bottomley)\0" - "Subject\0[RFC PATCH 1/5] ima: extend clone() with IMA namespace support\0" + "From\0James Bottomley <James.Bottomley@hansenpartnership.com>\0" + "Subject\0Re: [RFC PATCH 1/5] ima: extend clone() with IMA namespace support\0" "Date\0Tue, 25 Jul 2017 11:49:14 -0700\0" - "To\0linux-security-module@vger.kernel.org\0" + "To\0Serge E. Hallyn <serge@hallyn.com>" + " Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>\0" + "Cc\0Mehmet Kayaalp <mkayaalp@cs.binghamton.edu>" + Yuqiong Sun <sunyuqiong1988@gmail.com> + containers <containers@lists.linux-foundation.org> + linux-kernel <linux-kernel@vger.kernel.org> + David Safford <david.safford@ge.com> + linux-security-module <linux-security-module@vger.kernel.org> + ima-devel <linux-ima-devel@lists.sourceforge.net> + " Yuqiong Sun <suny@us.ibm.com>\0" "\00:1\0" "b\0" "On Tue, 2017-07-25 at 12:53 -0500, Serge E. Hallyn wrote:\n" @@ -12,7 +21,7 @@ "> > \n" "> > From: Yuqiong Sun <suny@us.ibm.com>\n" "> > \n" - "> > Add new CONFIG_IMA_NS config option.??Let clone() create a new IMA\n" + "> > Add new CONFIG_IMA_NS config option.\302\240\302\240Let clone() create a new IMA\n" "> > namespace upon CLONE_NEWNS flag. Add ima_ns data structure in\n" "> > nsproxy.\n" "> > ima_ns is allocated and freed upon IMA namespace creation and exit.\n" @@ -29,21 +38,16 @@ "> Hi,\n" "> \n" "> So this means that every mount namespace clone will clone a new IMA\n" - "> namespace.??Is that really ok?\n" + "> namespace.\302\240\302\240Is that really ok?\n" "\n" "Based on what: space concerns (struct ima_ns is reasonably small)? or\n" - "whether tying it to the mount namespace is the correct thing to do. ?On\n" + "whether tying it to the mount namespace is the correct thing to do. \302\240On\n" "the latter, it does seem that this should be a property of either the\n" - "mount or user ns rather than its own separate ns. ?I could see a use\n" + "mount or user ns rather than its own separate ns. \302\240I could see a use\n" "where even a container might want multiple ima keyrings within the\n" "container (say containerised apache service with multiple tenants), so\n" "instinct tells me that mount ns is the correct granularity for this.\n" "\n" - "James\n" - "\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + James -5c4888ce335dd757948730d7c8f050abe5656b44a40da4742ecbdae709fe120c +1568b58dc2af1e2c93dd8bb81cae0339bcab99bb9e023c15b15ae32fb4fa694d
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.