diff for duplicates of <20170623201723.GA22857@mail.hallyn.com> diff --git a/a/1.txt b/N1/1.txt index cea415e..28df1b7 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,4 +1,4 @@ -Quoting Vivek Goyal (vgoyal at redhat.com): +Quoting Vivek Goyal (vgoyal@redhat.com): > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are @@ -10,16 +10,16 @@ Quoting Vivek Goyal (vgoyal at redhat.com): > > name when a user namespace is used. If for example the root user > > in a user namespace writes the security.capability xattr, the name > > of the xattr that is actually written is encoded as -> > security.capability at uid=1000 for root mapped to uid 1000 on the host. +> > security.capability@uid=1000 for root mapped to uid 1000 on the host. > > When listing the xattrs on the host, the existing security.capability -> > as well as the security.capability at uid=1000 will be shown. Inside the +> > as well as the security.capability@uid=1000 will be shown. Inside the > > namespace only 'security.capability', with the value of -> > security.capability at uid=1000, is visible. +> > security.capability@uid=1000, is visible. > > Hi Stefan, > > Got a question. If child usernamespace sets a -> security.capability at uid=1000, can any of the parent namespace remove it? +> security.capability@uid=1000, can any of the parent namespace remove it? > > IOW, I set capability from usernamespace and tried to remove it from > host and that failed. Is that expected. @@ -29,21 +29,21 @@ Quoting Vivek Goyal (vgoyal at redhat.com): > > # outside user namespace > $listxattr foo.txt -> xattr: security.capability at uid=1000 +> xattr: security.capability@uid=1000 > xattr: security.selinux > > # outside user namespace -> setfattr -x security.capability at uid foo.txt +> setfattr -x security.capability@uid foo.txt > setfattr: foo.txt: Invalid argument > > Doing a strace shows removexattr() failed. May this will need fixing? > -> removexattr("testfile.txt", "security.capability at uid") = -1 EINVAL +> removexattr("testfile.txt", "security.capability@uid") = -1 EINVAL > (Invalid argument) That's not the right xattr, though, does - setfattr -x security.capability at uid=1000 foo.txt + setfattr -x security.capability@uid=1000 foo.txt work? @@ -55,7 +55,3 @@ have privilege over the uid). If that doesn't work, then it's a bug. -serge --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index c096051..2950c30 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,12 +1,25 @@ "ref\01498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com\0" "ref\020170623200956.GB24779@redhat.com\0" - "From\0serge@hallyn.com (Serge E. Hallyn)\0" - "Subject\0[PATCH 0/3] Enable namespaced file capabilities\0" + "From\0Serge E. Hallyn <serge@hallyn.com>\0" + "Subject\0Re: [PATCH 0/3] Enable namespaced file capabilities\0" "Date\0Fri, 23 Jun 2017 15:17:23 -0500\0" - "To\0linux-security-module@vger.kernel.org\0" + "To\0Vivek Goyal <vgoyal@redhat.com>\0" + "Cc\0Stefan Berger <stefanb@linux.vnet.ibm.com>" + ebiederm@xmission.com + containers@lists.linux-foundation.org + lkp@01.org + xiaolong.ye@intel.com + linux-kernel@vger.kernel.org + zohar@linux.vnet.ibm.com + serge@hallyn.com + tycho@docker.com + James.Bottomley@hansenpartnership.com + christian.brauner@mailbox.org + amir73il@gmail.com + " linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" - "Quoting Vivek Goyal (vgoyal at redhat.com):\n" + "Quoting Vivek Goyal (vgoyal@redhat.com):\n" "> On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:\n" "> > This series of patches primary goal is to enable file capabilities\n" "> > in user namespaces without affecting the file capabilities that are\n" @@ -18,16 +31,16 @@ "> > name when a user namespace is used. If for example the root user\n" "> > in a user namespace writes the security.capability xattr, the name\n" "> > of the xattr that is actually written is encoded as\n" - "> > security.capability at uid=1000 for root mapped to uid 1000 on the host.\n" + "> > security.capability@uid=1000 for root mapped to uid 1000 on the host.\n" "> > When listing the xattrs on the host, the existing security.capability\n" - "> > as well as the security.capability at uid=1000 will be shown. Inside the\n" + "> > as well as the security.capability@uid=1000 will be shown. Inside the\n" "> > namespace only 'security.capability', with the value of\n" - "> > security.capability at uid=1000, is visible.\n" + "> > security.capability@uid=1000, is visible.\n" "> \n" "> Hi Stefan,\n" "> \n" "> Got a question. If child usernamespace sets a\n" - "> security.capability at uid=1000, can any of the parent namespace remove it?\n" + "> security.capability@uid=1000, can any of the parent namespace remove it?\n" "> \n" "> IOW, I set capability from usernamespace and tried to remove it from\n" "> host and that failed. Is that expected.\n" @@ -37,21 +50,21 @@ "> \n" "> # outside user namespace\n" "> $listxattr foo.txt\n" - "> xattr: security.capability at uid=1000\n" + "> xattr: security.capability@uid=1000\n" "> xattr: security.selinux\n" "> \n" "> # outside user namespace\n" - "> setfattr -x security.capability at uid foo.txt\n" + "> setfattr -x security.capability@uid foo.txt\n" "> setfattr: foo.txt: Invalid argument\n" "> \n" "> Doing a strace shows removexattr() failed. May this will need fixing?\n" "> \n" - "> removexattr(\"testfile.txt\", \"security.capability at uid\") = -1 EINVAL\n" + "> removexattr(\"testfile.txt\", \"security.capability@uid\") = -1 EINVAL\n" "> (Invalid argument)\n" "\n" "That's not the right xattr, though, does\n" "\n" - "\tsetfattr -x security.capability at uid=1000 foo.txt\n" + "\tsetfattr -x security.capability@uid=1000 foo.txt\n" "\n" "work?\n" "\n" @@ -62,10 +75,6 @@ "\n" "If that doesn't work, then it's a bug.\n" "\n" - "-serge\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + -serge -55c9d98ebdb9b5da9532163e44d6b1e3db5c32cb5bcea8716ec7e04a8c107f29 +6fcd2d8d584919ba0c64556d62174502ab2562878a842da887a239bffe6200b8
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.