diff for duplicates of <8760euyjbv.fsf@xmission.com> diff --git a/a/1.txt b/N1/1.txt index 4df1abe..530719d 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,18 +1,18 @@ "Serge E. Hallyn" <serge@hallyn.com> writes: -> Quoting Stefan Berger (stefanb at linux.vnet.ibm.com): +> Quoting Stefan Berger (stefanb(a)linux.vnet.ibm.com): >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: ->> >Quoting Stefan Berger (stefanb at linux.vnet.ibm.com): +>> >Quoting Stefan Berger (stefanb(a)linux.vnet.ibm.com): >> >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> >>>Stefan Berger <stefanb@linux.vnet.ibm.com> writes: >> >>> >> >>>>On 07/13/2017 01:49 PM, Eric W. Biederman wrote: >> >>>> >> >>>>>My big question right now is can you implement Ted's suggested ->> >>>>>restriction. Only one security.foo or secuirty.foo at ... attribute ? +>> >>>>>restriction. Only one security.foo or secuirty.foo(a)... attribute ? >> >>>>We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done. >> >>>> ->> >>>>So now you want to allow security.foo and one security.foo at uid=<> or just a single one security.foo(@[[:print:]]*)? +>> >>>>So now you want to allow security.foo and one security.foo(a)uid=<> or just a single one security.foo(@[[:print:]]*)? >> >>>> >> >>>The latter. >> >>That case would prevent a container user from overriding the xattr @@ -29,7 +29,7 @@ >> need to get rid of security.ima first, possibly by copying each >> file, deleting the original file, and renaming the copied file to >> the original name, or should I just be able to write out a new ->> signature, thus creating security.ima at uid=1000 besides the +>> signature, thus creating security.ima(a)uid=1000 besides the >> security.ima ? >> >> Stefan @@ -89,16 +89,3 @@ In short I am seeing more code that runs slower and is harder to maintain. Please point out where I am wrong. Eric - - - - - - - - - --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 4ba72f7..641bfc3 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,35 +1,25 @@ - "ref\087y3rscz9j.fsf@xmission.com\0" - "ref\020170713164012.brj2flnkaaks2oci@thunk.org\0" - "ref\087k23cb6os.fsf@xmission.com\0" - "ref\0847ccb2a-30c0-a94c-df6f-091c8901eaa0@linux.vnet.ibm.com\0" - "ref\087bmoo8bxb.fsf@xmission.com\0" - "ref\09a3010e5-ca2b-5e7a-656b-fcc14f7bec4e@linux.vnet.ibm.com\0" - "ref\087h8yf7szd.fsf@xmission.com\0" - "ref\065dbe654-0d99-03fa-c838-5a726b462826@linux.vnet.ibm.com\0" - "ref\020170714133437.GA16737@mail.hallyn.com\0" - "ref\0596f808b-e21d-8296-5fef-23c1ce7ab778@linux.vnet.ibm.com\0" "ref\020170714173556.GA19669@mail.hallyn.com\0" - "From\0ebiederm@xmission.com (Eric W. Biederman)\0" - "Subject\0[PATCH v2] xattr: Enable security.capability in user namespaces\0" + "From\0Eric W. Biederman <ebiederm@xmission.com>\0" + "Subject\0Re: [PATCH v2] xattr: Enable security.capability in user namespaces\0" "Date\0Fri, 14 Jul 2017 13:17:08 -0500\0" - "To\0linux-security-module@vger.kernel.org\0" - "\00:1\0" + "To\0lkp@lists.01.org\0" + "\01:1\0" "b\0" "\"Serge E. Hallyn\" <serge@hallyn.com> writes:\n" "\n" - "> Quoting Stefan Berger (stefanb at linux.vnet.ibm.com):\n" + "> Quoting Stefan Berger (stefanb(a)linux.vnet.ibm.com):\n" ">> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:\n" - ">> >Quoting Stefan Berger (stefanb at linux.vnet.ibm.com):\n" + ">> >Quoting Stefan Berger (stefanb(a)linux.vnet.ibm.com):\n" ">> >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote:\n" ">> >>>Stefan Berger <stefanb@linux.vnet.ibm.com> writes:\n" ">> >>>\n" ">> >>>>On 07/13/2017 01:49 PM, Eric W. Biederman wrote:\n" ">> >>>>\n" ">> >>>>>My big question right now is can you implement Ted's suggested\n" - ">> >>>>>restriction. Only one security.foo or secuirty.foo at ... attribute ?\n" + ">> >>>>>restriction. Only one security.foo or secuirty.foo(a)... attribute ?\n" ">> >>>>We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done.\n" ">> >>>>\n" - ">> >>>>So now you want to allow security.foo and one security.foo at uid=<> or just a single one security.foo(@[[:print:]]*)?\n" + ">> >>>>So now you want to allow security.foo and one security.foo(a)uid=<> or just a single one security.foo(@[[:print:]]*)?\n" ">> >>>>\n" ">> >>>The latter.\n" ">> >>That case would prevent a container user from overriding the xattr\n" @@ -46,7 +36,7 @@ ">> need to get rid of security.ima first, possibly by copying each\n" ">> file, deleting the original file, and renaming the copied file to\n" ">> the original name, or should I just be able to write out a new\n" - ">> signature, thus creating security.ima at uid=1000 besides the\n" + ">> signature, thus creating security.ima(a)uid=1000 besides the\n" ">> security.ima ?\n" ">> \n" ">> Stefan\n" @@ -105,19 +95,6 @@ "In short I am seeing more code that runs slower and is harder to\n" "maintain. Please point out where I am wrong.\n" "\n" - "Eric\n" - "\n" - "\n" - "\n" - "\n" - "\n" - "\n" - "\n" - "\n" - "\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + Eric -6962eee938c11d265c13bffd818f27d3166f1d6677fbdbc8a045b7dd4e03deaa +0761eb4b0d613406abcbb938cdeb73fad134b2eda69567c53bd356a8325ceb10
diff --git a/a/1.txt b/N2/1.txt index 4df1abe..c1cee96 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -1,18 +1,18 @@ "Serge E. Hallyn" <serge@hallyn.com> writes: -> Quoting Stefan Berger (stefanb at linux.vnet.ibm.com): +> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com): >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: ->> >Quoting Stefan Berger (stefanb at linux.vnet.ibm.com): +>> >Quoting Stefan Berger (stefanb@linux.vnet.ibm.com): >> >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> >>>Stefan Berger <stefanb@linux.vnet.ibm.com> writes: >> >>> >> >>>>On 07/13/2017 01:49 PM, Eric W. Biederman wrote: >> >>>> >> >>>>>My big question right now is can you implement Ted's suggested ->> >>>>>restriction. Only one security.foo or secuirty.foo at ... attribute ? +>> >>>>>restriction. Only one security.foo or secuirty.foo@... attribute ? >> >>>>We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done. >> >>>> ->> >>>>So now you want to allow security.foo and one security.foo at uid=<> or just a single one security.foo(@[[:print:]]*)? +>> >>>>So now you want to allow security.foo and one security.foo@uid=<> or just a single one security.foo(@[[:print:]]*)? >> >>>> >> >>>The latter. >> >>That case would prevent a container user from overriding the xattr @@ -29,7 +29,7 @@ >> need to get rid of security.ima first, possibly by copying each >> file, deleting the original file, and renaming the copied file to >> the original name, or should I just be able to write out a new ->> signature, thus creating security.ima at uid=1000 besides the +>> signature, thus creating security.ima@uid=1000 besides the >> security.ima ? >> >> Stefan @@ -89,16 +89,3 @@ In short I am seeing more code that runs slower and is harder to maintain. Please point out where I am wrong. Eric - - - - - - - - - --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N2/content_digest index 4ba72f7..c808253 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -10,26 +10,39 @@ "ref\0596f808b-e21d-8296-5fef-23c1ce7ab778@linux.vnet.ibm.com\0" "ref\020170714173556.GA19669@mail.hallyn.com\0" "From\0ebiederm@xmission.com (Eric W. Biederman)\0" - "Subject\0[PATCH v2] xattr: Enable security.capability in user namespaces\0" + "Subject\0Re: [PATCH v2] xattr: Enable security.capability in user namespaces\0" "Date\0Fri, 14 Jul 2017 13:17:08 -0500\0" - "To\0linux-security-module@vger.kernel.org\0" + "To\0Serge E. Hallyn <serge@hallyn.com>\0" + "Cc\0Stefan Berger <stefanb@linux.vnet.ibm.com>" + Mimi Zohar <zohar@us.ibm.com> + Theodore Ts'o <tytso@mit.edu> + containers@lists.linux-foundation.org + lkp@01.org + linux-kernel@vger.kernel.org + tycho@docker.com + James.Bottomley@hansenpartnership.com + vgoyal@redhat.com + christian.brauner@mailbox.org + amir73il@gmail.com + linux-security-module@vger.kernel.org + " casey@schaufler-ca.com\0" "\00:1\0" "b\0" "\"Serge E. Hallyn\" <serge@hallyn.com> writes:\n" "\n" - "> Quoting Stefan Berger (stefanb at linux.vnet.ibm.com):\n" + "> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):\n" ">> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:\n" - ">> >Quoting Stefan Berger (stefanb at linux.vnet.ibm.com):\n" + ">> >Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):\n" ">> >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote:\n" ">> >>>Stefan Berger <stefanb@linux.vnet.ibm.com> writes:\n" ">> >>>\n" ">> >>>>On 07/13/2017 01:49 PM, Eric W. Biederman wrote:\n" ">> >>>>\n" ">> >>>>>My big question right now is can you implement Ted's suggested\n" - ">> >>>>>restriction. Only one security.foo or secuirty.foo at ... attribute ?\n" + ">> >>>>>restriction. Only one security.foo or secuirty.foo@... attribute ?\n" ">> >>>>We need to raw-list the xattrs and do the check before writing them. I am fairly sure this can be done.\n" ">> >>>>\n" - ">> >>>>So now you want to allow security.foo and one security.foo at uid=<> or just a single one security.foo(@[[:print:]]*)?\n" + ">> >>>>So now you want to allow security.foo and one security.foo@uid=<> or just a single one security.foo(@[[:print:]]*)?\n" ">> >>>>\n" ">> >>>The latter.\n" ">> >>That case would prevent a container user from overriding the xattr\n" @@ -46,7 +59,7 @@ ">> need to get rid of security.ima first, possibly by copying each\n" ">> file, deleting the original file, and renaming the copied file to\n" ">> the original name, or should I just be able to write out a new\n" - ">> signature, thus creating security.ima at uid=1000 besides the\n" + ">> signature, thus creating security.ima@uid=1000 besides the\n" ">> security.ima ?\n" ">> \n" ">> Stefan\n" @@ -105,19 +118,6 @@ "In short I am seeing more code that runs slower and is harder to\n" "maintain. Please point out where I am wrong.\n" "\n" - "Eric\n" - "\n" - "\n" - "\n" - "\n" - "\n" - "\n" - "\n" - "\n" - "\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + Eric -6962eee938c11d265c13bffd818f27d3166f1d6677fbdbc8a045b7dd4e03deaa +2bb63c44ee4ea355e5f287323c727e9ae4fd09cc7e1a1afa4833f987ce9a3f29
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.