From: Serge Hallyn <serge.hallyn@ubuntu.com>
To: Andy Whitcroft <apw@canonical.com>
Cc: "Miklos Szeredi" <miklos@szeredi.hu>,
Linux-Fsdevel <linux-fsdevel@vger.kernel.org>,
kernel-team@lists.ubuntu.com,
"Stéphane Graber" <stephane.graber@canonical.com>
Subject: Re: [PATCH RFC] overlayfs,xattr: allow unprivileged users to whiteout
Date: Fri, 28 Feb 2014 10:23:06 -0600 [thread overview]
Message-ID: <20140228162306.GA13215@sergelap> (raw)
In-Reply-To: <20140228145514.GD4334@dm>
Quoting Andy Whitcroft (apw@canonical.com):
> On Fri, Feb 28, 2014 at 03:15:14PM +0100, Miklos Szeredi wrote:
> > On Tue, Feb 25, 2014 at 6:31 PM, Serge Hallyn <serge.hallyn@ubuntu.com> wrote:
> > > To mark a file which exists in the lower layer as deleted,
> > > it creates a symbolic link to a file called "(overlay-whiteout)"
> > > in the writeable mount, and sets a "trusted.overlay" xattr
> > > on that link.
> > >
> > > 1. When the create the symbolic link as container root, not
> > > as the global root
> > >
> > > 2. Allow root in a container to edit "trusted.overlay*"
> > > xattrs. Generally only global root is allowed to edit
> > > "trusted.*"
> >
> > Shouldn't overlayfs just skip the permission checks and call
> > __vfs_setxattr_noperm() instead?
>
> It does seem we should be avoiding the permissions here, as we have let
> the thing be mounted we have done the permissions checks for that and for
> the file access itself already. This operation is something we definatly
> want to represent in the filesystem.
D'oh. Yeah, that looks good. Andy, should I send a new patch, or
can you make those changes inline?
-serge
next prev parent reply other threads:[~2014-02-28 16:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-25 17:31 [PATCH RFC] overlayfs,xattr: allow unprivileged users to whiteout Serge Hallyn
2014-02-28 14:15 ` Miklos Szeredi
2014-02-28 14:55 ` Andy Whitcroft
2014-02-28 16:23 ` Serge Hallyn [this message]
2014-03-05 17:46 ` [RFC] overlayfs priviledge escalation handling under user namespaces Andy Whitcroft
2014-03-05 17:46 ` [RFC PATCH 1/1] overlayfs: switch to the init user namespace for xattr operations Andy Whitcroft
2014-03-05 17:46 ` [RFC PATCH 1/1] overlayfs: use kernel service credentials for copy up and xattr manipulations Andy Whitcroft
2014-03-05 20:01 ` Serge Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140228162306.GA13215@sergelap \
--to=serge.hallyn@ubuntu.com \
--cc=apw@canonical.com \
--cc=kernel-team@lists.ubuntu.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=stephane.graber@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).