diff for duplicates of <20170623200956.GB24779@redhat.com> diff --git a/a/1.txt b/N1/1.txt index 5e250d6..fa37827 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -9,16 +9,16 @@ On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > name when a user namespace is used. If for example the root user > in a user namespace writes the security.capability xattr, the name > of the xattr that is actually written is encoded as -> security.capability@uid=1000 for root mapped to uid 1000 on the host. +> security.capability at uid=1000 for root mapped to uid 1000 on the host. > When listing the xattrs on the host, the existing security.capability -> as well as the security.capability@uid=1000 will be shown. Inside the +> as well as the security.capability at uid=1000 will be shown. Inside the > namespace only 'security.capability', with the value of -> security.capability@uid=1000, is visible. +> security.capability at uid=1000, is visible. Hi Stefan, Got a question. If child usernamespace sets a -security.capability@uid=1000, can any of the parent namespace remove it? +security.capability at uid=1000, can any of the parent namespace remove it? IOW, I set capability from usernamespace and tried to remove it from host and that failed. Is that expected. @@ -28,16 +28,20 @@ $setcap cat_net_raw+ep foo.txt # outside user namespace $listxattr foo.txt - xattr: security.capability@uid=1000 + xattr: security.capability at uid=1000 xattr: security.selinux # outside user namespace -setfattr -x security.capability@uid foo.txt +setfattr -x security.capability at uid foo.txt setfattr: foo.txt: Invalid argument Doing a strace shows removexattr() failed. May this will need fixing? -removexattr("testfile.txt", "security.capability@uid") = -1 EINVAL +removexattr("testfile.txt", "security.capability at uid") = -1 EINVAL (Invalid argument) Vivek +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 6f03551..0a9926a 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,17 +1,8 @@ "ref\01498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com\0" - "ref\01498157989-11814-1-git-send-email-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" - "From\0Vivek Goyal <vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>\0" - "Subject\0Re: [PATCH 0/3] Enable namespaced file capabilities\0" + "From\0vgoyal@redhat.com (Vivek Goyal)\0" + "Subject\0[PATCH 0/3] Enable namespaced file capabilities\0" "Date\0Fri, 23 Jun 2017 16:09:56 -0400\0" - "To\0Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>\0" - "Cc\0lkp-JC7UmRfGjtg@public.gmane.org" - containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org - linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - xiaolong.ye-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org - James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org - linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org - " zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:\n" @@ -25,16 +16,16 @@ "> name when a user namespace is used. If for example the root user\n" "> in a user namespace writes the security.capability xattr, the name\n" "> of the xattr that is actually written is encoded as\n" - "> security.capability@uid=1000 for root mapped to uid 1000 on the host.\n" + "> security.capability at uid=1000 for root mapped to uid 1000 on the host.\n" "> When listing the xattrs on the host, the existing security.capability\n" - "> as well as the security.capability@uid=1000 will be shown. Inside the\n" + "> as well as the security.capability at uid=1000 will be shown. Inside the\n" "> namespace only 'security.capability', with the value of\n" - "> security.capability@uid=1000, is visible.\n" + "> security.capability at uid=1000, is visible.\n" "\n" "Hi Stefan,\n" "\n" "Got a question. If child usernamespace sets a\n" - "security.capability@uid=1000, can any of the parent namespace remove it?\n" + "security.capability at uid=1000, can any of the parent namespace remove it?\n" "\n" "IOW, I set capability from usernamespace and tried to remove it from\n" "host and that failed. Is that expected.\n" @@ -44,18 +35,22 @@ "\n" "# outside user namespace\n" "$listxattr foo.txt\n" - " xattr: security.capability@uid=1000\n" + " xattr: security.capability at uid=1000\n" " xattr: security.selinux\n" "\n" "# outside user namespace\n" - "setfattr -x security.capability@uid foo.txt\n" + "setfattr -x security.capability at uid foo.txt\n" "setfattr: foo.txt: Invalid argument\n" "\n" "Doing a strace shows removexattr() failed. May this will need fixing?\n" "\n" - "removexattr(\"testfile.txt\", \"security.capability@uid\") = -1 EINVAL\n" + "removexattr(\"testfile.txt\", \"security.capability at uid\") = -1 EINVAL\n" "(Invalid argument)\n" "\n" - Vivek + "Vivek\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -1a93e8c10d62394d0bc146241ebaeab31a885b4df12313e085e1d070fbea2045 +1f3057fcc5957316c3d2ddbaa5b05d937ace2ca1bdb90fd21d1e932156fbd467
diff --git a/a/1.txt b/N2/1.txt index 5e250d6..cb3ba13 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -9,16 +9,16 @@ On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > name when a user namespace is used. If for example the root user > in a user namespace writes the security.capability xattr, the name > of the xattr that is actually written is encoded as -> security.capability@uid=1000 for root mapped to uid 1000 on the host. +> security.capability(a)uid=1000 for root mapped to uid 1000 on the host. > When listing the xattrs on the host, the existing security.capability -> as well as the security.capability@uid=1000 will be shown. Inside the +> as well as the security.capability(a)uid=1000 will be shown. Inside the > namespace only 'security.capability', with the value of -> security.capability@uid=1000, is visible. +> security.capability(a)uid=1000, is visible. Hi Stefan, Got a question. If child usernamespace sets a -security.capability@uid=1000, can any of the parent namespace remove it? +security.capability(a)uid=1000, can any of the parent namespace remove it? IOW, I set capability from usernamespace and tried to remove it from host and that failed. Is that expected. @@ -28,16 +28,16 @@ $setcap cat_net_raw+ep foo.txt # outside user namespace $listxattr foo.txt - xattr: security.capability@uid=1000 + xattr: security.capability(a)uid=1000 xattr: security.selinux # outside user namespace -setfattr -x security.capability@uid foo.txt +setfattr -x security.capability(a)uid foo.txt setfattr: foo.txt: Invalid argument Doing a strace shows removexattr() failed. May this will need fixing? -removexattr("testfile.txt", "security.capability@uid") = -1 EINVAL +removexattr("testfile.txt", "security.capability(a)uid") = -1 EINVAL (Invalid argument) Vivek diff --git a/a/content_digest b/N2/content_digest index 6f03551..7654c10 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -1,18 +1,9 @@ "ref\01498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com\0" - "ref\01498157989-11814-1-git-send-email-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" - "From\0Vivek Goyal <vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>\0" + "From\0Vivek Goyal <vgoyal@redhat.com>\0" "Subject\0Re: [PATCH 0/3] Enable namespaced file capabilities\0" "Date\0Fri, 23 Jun 2017 16:09:56 -0400\0" - "To\0Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>\0" - "Cc\0lkp-JC7UmRfGjtg@public.gmane.org" - containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org - linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - xiaolong.ye-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org - James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org - linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org - " zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" - "\00:1\0" + "To\0lkp@lists.01.org\0" + "\01:1\0" "b\0" "On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:\n" "> This series of patches primary goal is to enable file capabilities\n" @@ -25,16 +16,16 @@ "> name when a user namespace is used. If for example the root user\n" "> in a user namespace writes the security.capability xattr, the name\n" "> of the xattr that is actually written is encoded as\n" - "> security.capability@uid=1000 for root mapped to uid 1000 on the host.\n" + "> security.capability(a)uid=1000 for root mapped to uid 1000 on the host.\n" "> When listing the xattrs on the host, the existing security.capability\n" - "> as well as the security.capability@uid=1000 will be shown. Inside the\n" + "> as well as the security.capability(a)uid=1000 will be shown. Inside the\n" "> namespace only 'security.capability', with the value of\n" - "> security.capability@uid=1000, is visible.\n" + "> security.capability(a)uid=1000, is visible.\n" "\n" "Hi Stefan,\n" "\n" "Got a question. If child usernamespace sets a\n" - "security.capability@uid=1000, can any of the parent namespace remove it?\n" + "security.capability(a)uid=1000, can any of the parent namespace remove it?\n" "\n" "IOW, I set capability from usernamespace and tried to remove it from\n" "host and that failed. Is that expected.\n" @@ -44,18 +35,18 @@ "\n" "# outside user namespace\n" "$listxattr foo.txt\n" - " xattr: security.capability@uid=1000\n" + " xattr: security.capability(a)uid=1000\n" " xattr: security.selinux\n" "\n" "# outside user namespace\n" - "setfattr -x security.capability@uid foo.txt\n" + "setfattr -x security.capability(a)uid foo.txt\n" "setfattr: foo.txt: Invalid argument\n" "\n" "Doing a strace shows removexattr() failed. May this will need fixing?\n" "\n" - "removexattr(\"testfile.txt\", \"security.capability@uid\") = -1 EINVAL\n" + "removexattr(\"testfile.txt\", \"security.capability(a)uid\") = -1 EINVAL\n" "(Invalid argument)\n" "\n" Vivek -1a93e8c10d62394d0bc146241ebaeab31a885b4df12313e085e1d070fbea2045 +0aa6bc82c285605c06b2d14a2a430e7be9034188aac237b3ebd64fb03035aa86
diff --git a/a/content_digest b/N3/content_digest index 6f03551..10ba8f6 100644 --- a/a/content_digest +++ b/N3/content_digest @@ -1,17 +1,20 @@ "ref\01498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com\0" - "ref\01498157989-11814-1-git-send-email-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" - "From\0Vivek Goyal <vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>\0" + "From\0Vivek Goyal <vgoyal@redhat.com>\0" "Subject\0Re: [PATCH 0/3] Enable namespaced file capabilities\0" "Date\0Fri, 23 Jun 2017 16:09:56 -0400\0" - "To\0Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>\0" - "Cc\0lkp-JC7UmRfGjtg@public.gmane.org" - containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org - linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - xiaolong.ye-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org - James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org - linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org - " zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org\0" + "To\0Stefan Berger <stefanb@linux.vnet.ibm.com>\0" + "Cc\0ebiederm@xmission.com" + containers@lists.linux-foundation.org + lkp@01.org + xiaolong.ye@intel.com + linux-kernel@vger.kernel.org + zohar@linux.vnet.ibm.com + serge@hallyn.com + tycho@docker.com + James.Bottomley@hansenpartnership.com + christian.brauner@mailbox.org + amir73il@gmail.com + " linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:\n" @@ -58,4 +61,4 @@ "\n" Vivek -1a93e8c10d62394d0bc146241ebaeab31a885b4df12313e085e1d070fbea2045 +294eb132e05f4275b2cba52734061f4ea594a4f96debc74e364cbbcc5f2be9e6
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.