From: Dave Chinner <david@fromorbit.com>
To: Ben Myers <bpm@sgi.com>
Cc: Dwight Engen <dwight.engen@oracle.com>, xfs@oss.sgi.com
Subject: Re: [PATCH v7 7/7] enable building user namespace with xfs
Date: Wed, 31 Jul 2013 10:21:19 +1000 [thread overview]
Message-ID: <20130731002119.GR13468@dastard> (raw)
In-Reply-To: <20130730234021.GR3111@sgi.com>
On Tue, Jul 30, 2013 at 06:40:21PM -0500, Ben Myers wrote:
> Hey Dwight,
>
> On Mon, Jul 29, 2013 at 11:07:09PM -0400, Dwight Engen wrote:
> > >From e6a9ee0cfa0ed40484f66bc1726dc19de36038b8 Mon Sep 17 00:00:00 2001
> > From: Dwight Engen <dwight.engen@oracle.com>
> > Date: Tue, 2 Jul 2013 09:52:54 -0400
> > Subject: [PATCH 7/7] enable building user namespace with xfs
> >
> > Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
>
> Was there a patch running around to limit bulkstat to init_user_ns? Any other
> items that needed to be addressed before applying this patch?
Bulkstat has a capable(CAP_SYS_ADMIN) check and therefore can only be
executed in the init name space. Similarly, all the open-by-handle
interfaces have the same capable() checks so they can only be
executed int he init name space, too.
The only thing I think we still need to address is whether
xfs_ioc_setattr() should allow users within a namespace to change
the project ID of a file they otherwise own. That function is
currently changed to use a inode_owner_or_capable() check and so if
the uids match inside the namespace the modification is allowed.
However, right now for project IDs I think we have decided to limit
manipulations to the init user namespace and not expose project IDs
inside user namespaces at all. Hence I think that xfs_ioc_setattr()
needs a further check for this...
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2013-07-31 0:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-30 3:07 [PATCH v7 7/7] enable building user namespace with xfs Dwight Engen
2013-07-30 23:40 ` Ben Myers
2013-07-31 0:21 ` Dave Chinner [this message]
2013-07-31 13:25 ` Ben Myers
2013-07-31 17:09 ` Dwight Engen
2013-07-31 23:28 ` Dave Chinner
2013-08-01 15:06 ` Ben Myers
2013-08-01 16:17 ` Dwight Engen
2013-08-06 15:11 ` Serge E. Hallyn
2013-08-07 14:59 ` Serge E. Hallyn
2013-08-07 15:01 ` Serge E. Hallyn
2013-08-11 23:57 ` ***** SUSPECTED SPAM ***** " Dave Chinner
2013-07-31 18:19 ` Dwight Engen
2013-07-31 23:43 ` Dave Chinner
2013-08-01 0:54 ` Gao feng
2013-07-31 7:20 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130731002119.GR13468@dastard \
--to=david@fromorbit.com \
--cc=bpm@sgi.com \
--cc=dwight.engen@oracle.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.