diff for duplicates of <20170623203643.GC24779@redhat.com> diff --git a/a/1.txt b/N1/1.txt index 528b5cf..3a683fe 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,5 +1,5 @@ On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote: -> Quoting Vivek Goyal (vgoyal at redhat.com): +> Quoting Vivek Goyal (vgoyal(a)redhat.com): > > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > > > This series of patches primary goal is to enable file capabilities > > > in user namespaces without affecting the file capabilities that are @@ -11,16 +11,16 @@ On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote: > > > name when a user namespace is used. If for example the root user > > > in a user namespace writes the security.capability xattr, the name > > > of the xattr that is actually written is encoded as -> > > security.capability at uid=1000 for root mapped to uid 1000 on the host. +> > > security.capability(a)uid=1000 for root mapped to uid 1000 on the host. > > > When listing the xattrs on the host, the existing security.capability -> > > as well as the security.capability at uid=1000 will be shown. Inside the +> > > as well as the security.capability(a)uid=1000 will be shown. Inside the > > > namespace only 'security.capability', with the value of -> > > security.capability at uid=1000, is visible. +> > > security.capability(a)uid=1000, is visible. > > > > Hi Stefan, > > > > Got a question. If child usernamespace sets a -> > security.capability at uid=1000, can any of the parent namespace remove it? +> > security.capability(a)uid=1000, can any of the parent namespace remove it? > > > > IOW, I set capability from usernamespace and tried to remove it from > > host and that failed. Is that expected. @@ -30,21 +30,21 @@ On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote: > > > > # outside user namespace > > $listxattr foo.txt -> > xattr: security.capability at uid=1000 +> > xattr: security.capability(a)uid=1000 > > xattr: security.selinux > > > > # outside user namespace -> > setfattr -x security.capability at uid foo.txt +> > setfattr -x security.capability(a)uid foo.txt > > setfattr: foo.txt: Invalid argument > > > > Doing a strace shows removexattr() failed. May this will need fixing? > > -> > removexattr("testfile.txt", "security.capability at uid") = -1 EINVAL +> > removexattr("testfile.txt", "security.capability(a)uid") = -1 EINVAL > > (Invalid argument) > > That's not the right xattr, though, does > -> setfattr -x security.capability at uid=1000 foo.txt +> setfattr -x security.capability(a)uid=1000 foo.txt > > work? @@ -60,14 +60,14 @@ $ ll testfile.txt -rw-r--r--. 1 vivek vivek 0 Jun 23 15:44 testfile.txt $listxattr testfile.txt -xattr: security.capability at uid=1000 +xattr: security.capability(a)uid=1000 xattr: security.selinux $id uid=1000(vivek) gid=1000(vivek) groups=1000(vivek) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -$setfattr -x security.capability at uid=1000 testfile.txt +$setfattr -x security.capability(a)uid=1000 testfile.txt setfattr: testfile.txt: Operation not permitted I had to launch a user namespace with 1000 mapped to 0 inside user @@ -85,7 +85,3 @@ Vivek > If that doesn't work, then it's a bug. > > -serge --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index bf9db38..48d6e71 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,14 +1,12 @@ - "ref\01498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com\0" - "ref\020170623200956.GB24779@redhat.com\0" "ref\020170623201723.GA22857@mail.hallyn.com\0" - "From\0vgoyal@redhat.com (Vivek Goyal)\0" - "Subject\0[PATCH 0/3] Enable namespaced file capabilities\0" + "From\0Vivek Goyal <vgoyal@redhat.com>\0" + "Subject\0Re: [PATCH 0/3] Enable namespaced file capabilities\0" "Date\0Fri, 23 Jun 2017 16:36:43 -0400\0" - "To\0linux-security-module@vger.kernel.org\0" - "\00:1\0" + "To\0lkp@lists.01.org\0" + "\01:1\0" "b\0" "On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote:\n" - "> Quoting Vivek Goyal (vgoyal at redhat.com):\n" + "> Quoting Vivek Goyal (vgoyal(a)redhat.com):\n" "> > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:\n" "> > > This series of patches primary goal is to enable file capabilities\n" "> > > in user namespaces without affecting the file capabilities that are\n" @@ -20,16 +18,16 @@ "> > > name when a user namespace is used. If for example the root user\n" "> > > in a user namespace writes the security.capability xattr, the name\n" "> > > of the xattr that is actually written is encoded as\n" - "> > > security.capability at uid=1000 for root mapped to uid 1000 on the host.\n" + "> > > security.capability(a)uid=1000 for root mapped to uid 1000 on the host.\n" "> > > When listing the xattrs on the host, the existing security.capability\n" - "> > > as well as the security.capability at uid=1000 will be shown. Inside the\n" + "> > > as well as the security.capability(a)uid=1000 will be shown. Inside the\n" "> > > namespace only 'security.capability', with the value of\n" - "> > > security.capability at uid=1000, is visible.\n" + "> > > security.capability(a)uid=1000, is visible.\n" "> > \n" "> > Hi Stefan,\n" "> > \n" "> > Got a question. If child usernamespace sets a\n" - "> > security.capability at uid=1000, can any of the parent namespace remove it?\n" + "> > security.capability(a)uid=1000, can any of the parent namespace remove it?\n" "> > \n" "> > IOW, I set capability from usernamespace and tried to remove it from\n" "> > host and that failed. Is that expected.\n" @@ -39,21 +37,21 @@ "> > \n" "> > # outside user namespace\n" "> > $listxattr foo.txt\n" - "> > xattr: security.capability at uid=1000\n" + "> > xattr: security.capability(a)uid=1000\n" "> > xattr: security.selinux\n" "> > \n" "> > # outside user namespace\n" - "> > setfattr -x security.capability at uid foo.txt\n" + "> > setfattr -x security.capability(a)uid foo.txt\n" "> > setfattr: foo.txt: Invalid argument\n" "> > \n" "> > Doing a strace shows removexattr() failed. May this will need fixing?\n" "> > \n" - "> > removexattr(\"testfile.txt\", \"security.capability at uid\") = -1 EINVAL\n" + "> > removexattr(\"testfile.txt\", \"security.capability(a)uid\") = -1 EINVAL\n" "> > (Invalid argument)\n" "> \n" "> That's not the right xattr, though, does\n" "> \n" - "> \tsetfattr -x security.capability at uid=1000 foo.txt\n" + "> \tsetfattr -x security.capability(a)uid=1000 foo.txt\n" "> \n" "> work?\n" "\n" @@ -69,14 +67,14 @@ "-rw-r--r--. 1 vivek vivek 0 Jun 23 15:44 testfile.txt\n" "\n" "$listxattr testfile.txt\n" - "xattr: security.capability at uid=1000\n" + "xattr: security.capability(a)uid=1000\n" "xattr: security.selinux\n" "\n" "$id\n" "uid=1000(vivek) gid=1000(vivek) groups=1000(vivek)\n" "context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\n" "\n" - "$setfattr -x security.capability at uid=1000 testfile.txt \n" + "$setfattr -x security.capability(a)uid=1000 testfile.txt \n" "setfattr: testfile.txt: Operation not permitted\n" "\n" "I had to launch a user namespace with 1000 mapped to 0 inside user\n" @@ -93,10 +91,6 @@ "> \n" "> If that doesn't work, then it's a bug.\n" "> \n" - "> -serge\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + > -serge -f200c0742453c9d03c6e07d0d266ce7ef858bb6b406b88cf06cc49d325746f2d +4899a4ebaa5095cf5ec8c8bf5d13f6c619800c3d50c2e8c4aaf516374b503eae
diff --git a/a/1.txt b/N2/1.txt index 528b5cf..99d7d60 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -1,5 +1,5 @@ On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote: -> Quoting Vivek Goyal (vgoyal at redhat.com): +> Quoting Vivek Goyal (vgoyal@redhat.com): > > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > > > This series of patches primary goal is to enable file capabilities > > > in user namespaces without affecting the file capabilities that are @@ -11,16 +11,16 @@ On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote: > > > name when a user namespace is used. If for example the root user > > > in a user namespace writes the security.capability xattr, the name > > > of the xattr that is actually written is encoded as -> > > security.capability at uid=1000 for root mapped to uid 1000 on the host. +> > > security.capability@uid=1000 for root mapped to uid 1000 on the host. > > > When listing the xattrs on the host, the existing security.capability -> > > as well as the security.capability at uid=1000 will be shown. Inside the +> > > as well as the security.capability@uid=1000 will be shown. Inside the > > > namespace only 'security.capability', with the value of -> > > security.capability at uid=1000, is visible. +> > > security.capability@uid=1000, is visible. > > > > Hi Stefan, > > > > Got a question. If child usernamespace sets a -> > security.capability at uid=1000, can any of the parent namespace remove it? +> > security.capability@uid=1000, can any of the parent namespace remove it? > > > > IOW, I set capability from usernamespace and tried to remove it from > > host and that failed. Is that expected. @@ -30,21 +30,21 @@ On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote: > > > > # outside user namespace > > $listxattr foo.txt -> > xattr: security.capability at uid=1000 +> > xattr: security.capability@uid=1000 > > xattr: security.selinux > > > > # outside user namespace -> > setfattr -x security.capability at uid foo.txt +> > setfattr -x security.capability@uid foo.txt > > setfattr: foo.txt: Invalid argument > > > > Doing a strace shows removexattr() failed. May this will need fixing? > > -> > removexattr("testfile.txt", "security.capability at uid") = -1 EINVAL +> > removexattr("testfile.txt", "security.capability@uid") = -1 EINVAL > > (Invalid argument) > > That's not the right xattr, though, does > -> setfattr -x security.capability at uid=1000 foo.txt +> setfattr -x security.capability@uid=1000 foo.txt > > work? @@ -60,14 +60,14 @@ $ ll testfile.txt -rw-r--r--. 1 vivek vivek 0 Jun 23 15:44 testfile.txt $listxattr testfile.txt -xattr: security.capability at uid=1000 +xattr: security.capability@uid=1000 xattr: security.selinux $id uid=1000(vivek) gid=1000(vivek) groups=1000(vivek) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -$setfattr -x security.capability at uid=1000 testfile.txt +$setfattr -x security.capability@uid=1000 testfile.txt setfattr: testfile.txt: Operation not permitted I had to launch a user namespace with 1000 mapped to 0 inside user @@ -85,7 +85,3 @@ Vivek > If that doesn't work, then it's a bug. > > -serge --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N2/content_digest index bf9db38..f41b7ef 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -1,14 +1,26 @@ "ref\01498157989-11814-1-git-send-email-stefanb@linux.vnet.ibm.com\0" "ref\020170623200956.GB24779@redhat.com\0" "ref\020170623201723.GA22857@mail.hallyn.com\0" - "From\0vgoyal@redhat.com (Vivek Goyal)\0" - "Subject\0[PATCH 0/3] Enable namespaced file capabilities\0" + "From\0Vivek Goyal <vgoyal@redhat.com>\0" + "Subject\0Re: [PATCH 0/3] Enable namespaced file capabilities\0" "Date\0Fri, 23 Jun 2017 16:36:43 -0400\0" - "To\0linux-security-module@vger.kernel.org\0" + "To\0Serge E. Hallyn <serge@hallyn.com>\0" + "Cc\0Stefan Berger <stefanb@linux.vnet.ibm.com>" + ebiederm@xmission.com + containers@lists.linux-foundation.org + lkp@01.org + xiaolong.ye@intel.com + linux-kernel@vger.kernel.org + zohar@linux.vnet.ibm.com + tycho@docker.com + James.Bottomley@hansenpartnership.com + christian.brauner@mailbox.org + amir73il@gmail.com + " linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote:\n" - "> Quoting Vivek Goyal (vgoyal at redhat.com):\n" + "> Quoting Vivek Goyal (vgoyal@redhat.com):\n" "> > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:\n" "> > > This series of patches primary goal is to enable file capabilities\n" "> > > in user namespaces without affecting the file capabilities that are\n" @@ -20,16 +32,16 @@ "> > > name when a user namespace is used. If for example the root user\n" "> > > in a user namespace writes the security.capability xattr, the name\n" "> > > of the xattr that is actually written is encoded as\n" - "> > > security.capability at uid=1000 for root mapped to uid 1000 on the host.\n" + "> > > security.capability@uid=1000 for root mapped to uid 1000 on the host.\n" "> > > When listing the xattrs on the host, the existing security.capability\n" - "> > > as well as the security.capability at uid=1000 will be shown. Inside the\n" + "> > > as well as the security.capability@uid=1000 will be shown. Inside the\n" "> > > namespace only 'security.capability', with the value of\n" - "> > > security.capability at uid=1000, is visible.\n" + "> > > security.capability@uid=1000, is visible.\n" "> > \n" "> > Hi Stefan,\n" "> > \n" "> > Got a question. If child usernamespace sets a\n" - "> > security.capability at uid=1000, can any of the parent namespace remove it?\n" + "> > security.capability@uid=1000, can any of the parent namespace remove it?\n" "> > \n" "> > IOW, I set capability from usernamespace and tried to remove it from\n" "> > host and that failed. Is that expected.\n" @@ -39,21 +51,21 @@ "> > \n" "> > # outside user namespace\n" "> > $listxattr foo.txt\n" - "> > xattr: security.capability at uid=1000\n" + "> > xattr: security.capability@uid=1000\n" "> > xattr: security.selinux\n" "> > \n" "> > # outside user namespace\n" - "> > setfattr -x security.capability at uid foo.txt\n" + "> > setfattr -x security.capability@uid foo.txt\n" "> > setfattr: foo.txt: Invalid argument\n" "> > \n" "> > Doing a strace shows removexattr() failed. May this will need fixing?\n" "> > \n" - "> > removexattr(\"testfile.txt\", \"security.capability at uid\") = -1 EINVAL\n" + "> > removexattr(\"testfile.txt\", \"security.capability@uid\") = -1 EINVAL\n" "> > (Invalid argument)\n" "> \n" "> That's not the right xattr, though, does\n" "> \n" - "> \tsetfattr -x security.capability at uid=1000 foo.txt\n" + "> \tsetfattr -x security.capability@uid=1000 foo.txt\n" "> \n" "> work?\n" "\n" @@ -69,14 +81,14 @@ "-rw-r--r--. 1 vivek vivek 0 Jun 23 15:44 testfile.txt\n" "\n" "$listxattr testfile.txt\n" - "xattr: security.capability at uid=1000\n" + "xattr: security.capability@uid=1000\n" "xattr: security.selinux\n" "\n" "$id\n" "uid=1000(vivek) gid=1000(vivek) groups=1000(vivek)\n" "context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\n" "\n" - "$setfattr -x security.capability at uid=1000 testfile.txt \n" + "$setfattr -x security.capability@uid=1000 testfile.txt \n" "setfattr: testfile.txt: Operation not permitted\n" "\n" "I had to launch a user namespace with 1000 mapped to 0 inside user\n" @@ -93,10 +105,6 @@ "> \n" "> If that doesn't work, then it's a bug.\n" "> \n" - "> -serge\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + > -serge -f200c0742453c9d03c6e07d0d266ce7ef858bb6b406b88cf06cc49d325746f2d +28465ba9cf18e5500097906a875496bfbdb9daaf019040d4dd747cc6ab70514e
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.