diff for duplicates of <20170622233619.GC2894@mail.hallyn.com> diff --git a/a/1.txt b/N1/1.txt index b71b323..41346e9 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,4 +1,4 @@ -Quoting James Bottomley (James.Bottomley at HansenPartnership.com): +Quoting James Bottomley (James.Bottomley@HansenPartnership.com): > On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are @@ -10,11 +10,11 @@ Quoting James Bottomley (James.Bottomley at HansenPartnership.com): > > name when a user namespace is used. If for example the root user > > in a user namespace writes the security.capability xattr, the name > > of the xattr that is actually written is encoded as -> > security.capability at uid=1000 for root mapped to uid 1000 on the host. +> > security.capability@uid=1000 for root mapped to uid 1000 on the host. > > When listing the xattrs on the host, the existing security.capability -> > as well as the security.capability at uid=1000 will be shown. Inside the +> > as well as the security.capability@uid=1000 will be shown. Inside the > > namespace only 'security.capability', with the value of -> > security.capability at uid=1000, is visible. +> > security.capability@uid=1000, is visible. > > I'm a bit bothered by the @uid=1000 suffix. What if I want to use this > capability but am dynamically mapping the namespaces (i.e. I know I @@ -41,7 +41,3 @@ The implication is that root on the host doesn't trust the image enough to write a real global file capability, but trusts it enough to 'endanger' all containers on the host. If that's the case, I have no objection to adding this as a feature. --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 7d2b802..862186a 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,12 +1,25 @@ "ref\01498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com\0" "ref\01498174161.7636.4.camel@HansenPartnership.com\0" - "From\0serge@hallyn.com (Serge E. Hallyn)\0" - "Subject\0[PATCH 0/3] Enable namespaced file capabilities\0" + "From\0Serge E. Hallyn <serge@hallyn.com>\0" + "Subject\0Re: [PATCH 0/3] Enable namespaced file capabilities\0" "Date\0Thu, 22 Jun 2017 18:36:19 -0500\0" - "To\0linux-security-module@vger.kernel.org\0" + "To\0James Bottomley <James.Bottomley@hansenpartnership.com>\0" + "Cc\0Stefan Berger <stefanb@linux.vnet.ibm.com>" + ebiederm@xmission.com + containers@lists.linux-foundation.org + lkp@01.org + xiaolong.ye@intel.com + linux-kernel@vger.kernel.org + zohar@linux.vnet.ibm.com + serge@hallyn.com + tycho@docker.com + christian.brauner@mailbox.org + vgoyal@redhat.com + amir73il@gmail.com + " linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" - "Quoting James Bottomley (James.Bottomley at HansenPartnership.com):\n" + "Quoting James Bottomley (James.Bottomley@HansenPartnership.com):\n" "> On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote:\n" "> > This series of patches primary goal is to enable file capabilities\n" "> > in user namespaces without affecting the file capabilities that are\n" @@ -18,11 +31,11 @@ "> > name when a user namespace is used. If for example the root user\n" "> > in a user namespace writes the security.capability xattr, the name\n" "> > of the xattr that is actually written is encoded as\n" - "> > security.capability at uid=1000 for root mapped to uid 1000 on the host.\n" + "> > security.capability@uid=1000 for root mapped to uid 1000 on the host.\n" "> > When listing the xattrs on the host, the existing security.capability\n" - "> > as well as the security.capability at uid=1000 will be shown. Inside the\n" + "> > as well as the security.capability@uid=1000 will be shown. Inside the\n" "> > namespace only 'security.capability', with the value of\n" - "> > security.capability at uid=1000, is visible.\n" + "> > security.capability@uid=1000, is visible.\n" "> \n" "> I'm a bit bothered by the @uid=1000 suffix. What if I want to use this\n" "> capability but am dynamically mapping the namespaces (i.e. I know I\n" @@ -48,10 +61,6 @@ "The implication is that root on the host doesn't trust the image\n" "enough to write a real global file capability, but trusts it enough\n" "to 'endanger' all containers on the host. If that's the case, I have\n" - "no objection to adding this as a feature.\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + no objection to adding this as a feature. -5a1fb77856c131faef9780be71bf528f84af74f1cdad61f6e3c808545d610dbe +ea1a7cf495ca206d1b0f666f04cd4800f4abbb8df43929c5e81c52da4b455efc
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.