diff for duplicates of <87tw3boe5d.fsf@xmission.com> diff --git a/a/1.txt b/N1/1.txt index a8f17d1..e8b92e0 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,10 +1,10 @@ -"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes: +"Serge E. Hallyn" <serge@hallyn.com> writes: -> Quoting Stefan Berger (stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org): +> Quoting Stefan Berger (stefanb(a)linux.vnet.ibm.com): >> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote: >> >On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote: >> >>On 06/13/2017 07:55 PM, Serge E. Hallyn wrote: ->> >>>Quoting Stefan Berger (stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org): +>> >>>Quoting Stefan Berger (stefanb(a)linux.vnet.ibm.com): >> >>>> If all extended >> >>>>attributes were to support this model, maybe the 'uid' could be >> >>>>associated with the 'name' of the xattr rather than its 'value' (not @@ -42,25 +42,25 @@ > Thanks! > >> Encoding of uid is in the attribute name now as follows: ->> security.foo@uid=<uid> +>> security.foo(a)uid=<uid> >> >> 1) The 'plain' security.capability is only r/w accessible from the >> host (init_user_ns). >> 2) When userns reads/writes 'security.capability' it will read/write ->> security.capability@uid=<uid> instead, with uid being the uid of +>> security.capability(a)uid=<uid> instead, with uid being the uid of >> root , e.g. 1000. >> 3) When listing xattrs for userns the host's security.capability is >> filtered out to avoid read failures iof 'security.capability' if ->> security.capability@uid=<uid> is read but not there. (see 1) and 2)) +>> security.capability(a)uid=<uid> is read but not there. (see 1) and 2)) >> 4) security.capability* may all be read from anywhere ->> 5) security.capability@uid=<uid> may be read or written directly +>> 5) security.capability(a)uid=<uid> may be read or written directly >> from a userns if <uid> matches the uid of root (current_uid()) > > This looks very close to what we want. One exception - we do want > to support root in a user namespace being able to write -> security.capability@uid=<x> where <x> is a valid uid mapped in its +> security.capability(a)uid=<x> where <x> is a valid uid mapped in its > namespace. In that case the name should be rewritten to be -> security.capability@uid=<y> where y is the unmapped kuid.val. +> security.capability(a)uid=<y> where y is the unmapped kuid.val. > > Eric, > diff --git a/a/content_digest b/N1/content_digest index 392c9c1..a32ded6 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,34 +1,17 @@ - "ref\020170508044408.GA11400@mail.hallyn.com\0" - "ref\0CACOXgS9a=avAWZEre1Q1CGjSHeq78Pkq1fYfwPjiyEX-u=B5wQ@mail.gmail.com\0" - "ref\020170508181156.GA23112@mail.hallyn.com\0" - "ref\09f80188c-df03-066a-5dac-785cc711d064@linux.vnet.ibm.com\0" - "ref\020170613171818.GA9070@mail.hallyn.com\0" - "ref\074e490f3-3c47-abfa-86ae-0fa0d1ddb43a@linux.vnet.ibm.com\0" - "ref\020170613235521.GC15685@mail.hallyn.com\0" - "ref\0ce471b11-e76a-25f3-eae8-eca30e7233af@linux.vnet.ibm.com\0" - "ref\020170615030543.GA8979@mail.hallyn.com\0" - "ref\0f0df1914-bca2-31a0-cdba-df30d85d70b3@linux.vnet.ibm.com\0" "ref\020170618221418.GA364@mail.hallyn.com\0" - "ref\020170618221418.GA364-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org\0" - "From\0ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)\0" + "From\0Eric W. Biederman <ebiederm@xmission.com>\0" "Subject\0Re: [PATCH v4] Introduce v3 namespaced file capabilities\0" "Date\0Mon, 19 Jun 2017 16:34:22 -0500\0" - "To\0Serge E. Hallyn <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>\0" - "Cc\0Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>" - Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> - containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org - LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> - xiaolong.ye-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org - " lkp-JC7UmRfGjtg@public.gmane.org\0" - "\00:1\0" + "To\0lkp@lists.01.org\0" + "\01:1\0" "b\0" - "\"Serge E. Hallyn\" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:\n" + "\"Serge E. Hallyn\" <serge@hallyn.com> writes:\n" "\n" - "> Quoting Stefan Berger (stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org):\n" + "> Quoting Stefan Berger (stefanb(a)linux.vnet.ibm.com):\n" ">> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:\n" ">> >On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:\n" ">> >>On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:\n" - ">> >>>Quoting Stefan Berger (stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org):\n" + ">> >>>Quoting Stefan Berger (stefanb(a)linux.vnet.ibm.com):\n" ">> >>>> If all extended\n" ">> >>>>attributes were to support this model, maybe the 'uid' could be\n" ">> >>>>associated with the 'name' of the xattr rather than its 'value' (not\n" @@ -66,25 +49,25 @@ "> Thanks!\n" ">\n" ">> Encoding of uid is in the attribute name now as follows:\n" - ">> security.foo@uid=<uid>\n" + ">> security.foo(a)uid=<uid>\n" ">> \n" ">> 1) The 'plain' security.capability is only r/w accessible from the\n" ">> host (init_user_ns).\n" ">> 2) When userns reads/writes 'security.capability' it will read/write\n" - ">> security.capability@uid=<uid> instead, with uid being the uid of\n" + ">> security.capability(a)uid=<uid> instead, with uid being the uid of\n" ">> root , e.g. 1000.\n" ">> 3) When listing xattrs for userns the host's security.capability is\n" ">> filtered out to avoid read failures iof 'security.capability' if\n" - ">> security.capability@uid=<uid> is read but not there. (see 1) and 2))\n" + ">> security.capability(a)uid=<uid> is read but not there. (see 1) and 2))\n" ">> 4) security.capability* may all be read from anywhere\n" - ">> 5) security.capability@uid=<uid> may be read or written directly\n" + ">> 5) security.capability(a)uid=<uid> may be read or written directly\n" ">> from a userns if <uid> matches the uid of root (current_uid())\n" ">\n" "> This looks very close to what we want. One exception - we do want\n" "> to support root in a user namespace being able to write\n" - "> security.capability@uid=<x> where <x> is a valid uid mapped in its\n" + "> security.capability(a)uid=<x> where <x> is a valid uid mapped in its\n" "> namespace. In that case the name should be rewritten to be\n" - "> security.capability@uid=<y> where y is the unmapped kuid.val.\n" + "> security.capability(a)uid=<y> where y is the unmapped kuid.val.\n" ">\n" "> Eric,\n" ">\n" @@ -99,4 +82,4 @@ "\n" Eric -5f3e05533e7f7f21670086026e80b5b212389b69be828aeea990bbb6c3278487 +941f2fc6e3f060e270e6bf0898d21e2eb9bc616b79756462d840ff5cb61832f0
diff --git a/a/1.txt b/N2/1.txt index a8f17d1..d9ba659 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -1,10 +1,10 @@ -"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes: +"Serge E. Hallyn" <serge@hallyn.com> writes: -> Quoting Stefan Berger (stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org): +> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com): >> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote: >> >On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote: >> >>On 06/13/2017 07:55 PM, Serge E. Hallyn wrote: ->> >>>Quoting Stefan Berger (stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org): +>> >>>Quoting Stefan Berger (stefanb@linux.vnet.ibm.com): >> >>>> If all extended >> >>>>attributes were to support this model, maybe the 'uid' could be >> >>>>associated with the 'name' of the xattr rather than its 'value' (not diff --git a/a/content_digest b/N2/content_digest index 392c9c1..fce6ce7 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -9,26 +9,26 @@ "ref\020170615030543.GA8979@mail.hallyn.com\0" "ref\0f0df1914-bca2-31a0-cdba-df30d85d70b3@linux.vnet.ibm.com\0" "ref\020170618221418.GA364@mail.hallyn.com\0" - "ref\020170618221418.GA364-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org\0" - "From\0ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)\0" + "From\0ebiederm@xmission.com (Eric W. Biederman)\0" "Subject\0Re: [PATCH v4] Introduce v3 namespaced file capabilities\0" "Date\0Mon, 19 Jun 2017 16:34:22 -0500\0" - "To\0Serge E. Hallyn <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>\0" - "Cc\0Stefan Berger <stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>" - Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> - containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org - LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> - xiaolong.ye-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org - " lkp-JC7UmRfGjtg@public.gmane.org\0" + "To\0Serge E. Hallyn <serge@hallyn.com>\0" + "Cc\0Stefan Berger <stefanb@linux.vnet.ibm.com>" + Masami Ichikawa <masami256@gmail.com> + containers@lists.linux-foundation.org + lkp@01.org + xiaolong.ye@intel.com + LKML <linux-kernel@vger.kernel.org> + " Mimi Zohar <zohar@linux.vnet.ibm.com>\0" "\00:1\0" "b\0" - "\"Serge E. Hallyn\" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> writes:\n" + "\"Serge E. Hallyn\" <serge@hallyn.com> writes:\n" "\n" - "> Quoting Stefan Berger (stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org):\n" + "> Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):\n" ">> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:\n" ">> >On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:\n" ">> >>On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:\n" - ">> >>>Quoting Stefan Berger (stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org):\n" + ">> >>>Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):\n" ">> >>>> If all extended\n" ">> >>>>attributes were to support this model, maybe the 'uid' could be\n" ">> >>>>associated with the 'name' of the xattr rather than its 'value' (not\n" @@ -99,4 +99,4 @@ "\n" Eric -5f3e05533e7f7f21670086026e80b5b212389b69be828aeea990bbb6c3278487 +5d66a88e33fa4f79974c405b08a020361eaa1dedb3f556c076a10ccf30a516f6
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.