diff for duplicates of <20170623205118.GA23674@mail.hallyn.com> diff --git a/a/1.txt b/N1/1.txt index 48784d8..10a1855 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,6 +1,6 @@ -Quoting Vivek Goyal (vgoyal at redhat.com): +Quoting Vivek Goyal (vgoyal@redhat.com): > On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote: -> > Quoting Vivek Goyal (vgoyal at redhat.com): +> > Quoting Vivek Goyal (vgoyal@redhat.com): > > > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > > > > This series of patches primary goal is to enable file capabilities > > > > in user namespaces without affecting the file capabilities that are @@ -12,16 +12,16 @@ Quoting Vivek Goyal (vgoyal at redhat.com): > > > > name when a user namespace is used. If for example the root user > > > > in a user namespace writes the security.capability xattr, the name > > > > of the xattr that is actually written is encoded as -> > > > security.capability at uid=1000 for root mapped to uid 1000 on the host. +> > > > security.capability@uid=1000 for root mapped to uid 1000 on the host. > > > > When listing the xattrs on the host, the existing security.capability -> > > > as well as the security.capability at uid=1000 will be shown. Inside the +> > > > as well as the security.capability@uid=1000 will be shown. Inside the > > > > namespace only 'security.capability', with the value of -> > > > security.capability at uid=1000, is visible. +> > > > security.capability@uid=1000, is visible. > > > > > > Hi Stefan, > > > > > > Got a question. If child usernamespace sets a -> > > security.capability at uid=1000, can any of the parent namespace remove it? +> > > security.capability@uid=1000, can any of the parent namespace remove it? > > > > > > IOW, I set capability from usernamespace and tried to remove it from > > > host and that failed. Is that expected. @@ -31,21 +31,21 @@ Quoting Vivek Goyal (vgoyal at redhat.com): > > > > > > # outside user namespace > > > $listxattr foo.txt -> > > xattr: security.capability at uid=1000 +> > > xattr: security.capability@uid=1000 > > > xattr: security.selinux > > > > > > # outside user namespace -> > > setfattr -x security.capability at uid foo.txt +> > > setfattr -x security.capability@uid foo.txt > > > setfattr: foo.txt: Invalid argument > > > > > > Doing a strace shows removexattr() failed. May this will need fixing? > > > -> > > removexattr("testfile.txt", "security.capability at uid") = -1 EINVAL +> > > removexattr("testfile.txt", "security.capability@uid") = -1 EINVAL > > > (Invalid argument) > > > > That's not the right xattr, though, does > > -> > setfattr -x security.capability at uid=1000 foo.txt +> > setfattr -x security.capability@uid=1000 foo.txt > > > > work? > @@ -60,7 +60,3 @@ Quoting Vivek Goyal (vgoyal at redhat.com): D'oh, yes, I was thinking wrongly. You need *privilege* over the uid, meaning CAP_SETFACL against your user_ns and uid 1000 mapped into the user_ns. So yeah just uid 1000 won't suffice. --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index c73a4d8..8c10917 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,15 +2,28 @@ "ref\020170623200956.GB24779@redhat.com\0" "ref\020170623201723.GA22857@mail.hallyn.com\0" "ref\020170623203643.GC24779@redhat.com\0" - "From\0serge@hallyn.com (Serge E. Hallyn)\0" - "Subject\0[PATCH 0/3] Enable namespaced file capabilities\0" + "From\0Serge E. Hallyn <serge@hallyn.com>\0" + "Subject\0Re: [PATCH 0/3] Enable namespaced file capabilities\0" "Date\0Fri, 23 Jun 2017 15:51:18 -0500\0" - "To\0linux-security-module@vger.kernel.org\0" + "To\0Vivek Goyal <vgoyal@redhat.com>\0" + "Cc\0Serge E. Hallyn <serge@hallyn.com>" + Stefan Berger <stefanb@linux.vnet.ibm.com> + ebiederm@xmission.com + containers@lists.linux-foundation.org + lkp@01.org + xiaolong.ye@intel.com + linux-kernel@vger.kernel.org + zohar@linux.vnet.ibm.com + tycho@docker.com + James.Bottomley@hansenpartnership.com + christian.brauner@mailbox.org + amir73il@gmail.com + " linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" - "Quoting Vivek Goyal (vgoyal at redhat.com):\n" + "Quoting Vivek Goyal (vgoyal@redhat.com):\n" "> On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote:\n" - "> > Quoting Vivek Goyal (vgoyal at redhat.com):\n" + "> > Quoting Vivek Goyal (vgoyal@redhat.com):\n" "> > > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:\n" "> > > > This series of patches primary goal is to enable file capabilities\n" "> > > > in user namespaces without affecting the file capabilities that are\n" @@ -22,16 +35,16 @@ "> > > > name when a user namespace is used. If for example the root user\n" "> > > > in a user namespace writes the security.capability xattr, the name\n" "> > > > of the xattr that is actually written is encoded as\n" - "> > > > security.capability at uid=1000 for root mapped to uid 1000 on the host.\n" + "> > > > security.capability@uid=1000 for root mapped to uid 1000 on the host.\n" "> > > > When listing the xattrs on the host, the existing security.capability\n" - "> > > > as well as the security.capability at uid=1000 will be shown. Inside the\n" + "> > > > as well as the security.capability@uid=1000 will be shown. Inside the\n" "> > > > namespace only 'security.capability', with the value of\n" - "> > > > security.capability at uid=1000, is visible.\n" + "> > > > security.capability@uid=1000, is visible.\n" "> > > \n" "> > > Hi Stefan,\n" "> > > \n" "> > > Got a question. If child usernamespace sets a\n" - "> > > security.capability at uid=1000, can any of the parent namespace remove it?\n" + "> > > security.capability@uid=1000, can any of the parent namespace remove it?\n" "> > > \n" "> > > IOW, I set capability from usernamespace and tried to remove it from\n" "> > > host and that failed. Is that expected.\n" @@ -41,21 +54,21 @@ "> > > \n" "> > > # outside user namespace\n" "> > > $listxattr foo.txt\n" - "> > > xattr: security.capability at uid=1000\n" + "> > > xattr: security.capability@uid=1000\n" "> > > xattr: security.selinux\n" "> > > \n" "> > > # outside user namespace\n" - "> > > setfattr -x security.capability at uid foo.txt\n" + "> > > setfattr -x security.capability@uid foo.txt\n" "> > > setfattr: foo.txt: Invalid argument\n" "> > > \n" "> > > Doing a strace shows removexattr() failed. May this will need fixing?\n" "> > > \n" - "> > > removexattr(\"testfile.txt\", \"security.capability at uid\") = -1 EINVAL\n" + "> > > removexattr(\"testfile.txt\", \"security.capability@uid\") = -1 EINVAL\n" "> > > (Invalid argument)\n" "> > \n" "> > That's not the right xattr, though, does\n" "> > \n" - "> > \tsetfattr -x security.capability at uid=1000 foo.txt\n" + "> > \tsetfattr -x security.capability@uid=1000 foo.txt\n" "> > \n" "> > work?\n" "> \n" @@ -69,10 +82,6 @@ "\n" "D'oh, yes, I was thinking wrongly. You need *privilege* over the uid, meaning\n" "CAP_SETFACL against your user_ns and uid 1000 mapped into the user_ns. So yeah\n" - "just uid 1000 won't suffice.\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + just uid 1000 won't suffice. -75eeeb23e77b204bd4caec80bf7aa5910b09ab63946441c7fa9b503fbcb02eee +c90a4ef3df15dd38066771647fae56b939d30d99d821b83bea35e41e44303a06
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.