* Issues with UBIFS xattr support @ 2009-02-05 6:49 Tim 2009-02-05 9:30 ` Artem Bityutskiy 0 siblings, 1 reply; 5+ messages in thread From: Tim @ 2009-02-05 6:49 UTC (permalink / raw) To: mtd, Artem.Bityutskiy I found that UBIFS does not fully support xattr manipulation. I use security context files labeling (in SELinux) that heavily relies on proper manipulation of xattr by the filesystem. And issues are: - ubifs does not store xattr in inode for symbolic link files; - if new file is created on ubifs, xattr should be automatically updated with security context label, but it does not. Maybe there is a patch that fixes those issues already? Kindest regards, Tim ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Issues with UBIFS xattr support 2009-02-05 6:49 Issues with UBIFS xattr support Tim @ 2009-02-05 9:30 ` Artem Bityutskiy 2009-02-05 23:21 ` Tim 0 siblings, 1 reply; 5+ messages in thread From: Artem Bityutskiy @ 2009-02-05 9:30 UTC (permalink / raw) To: Tim; +Cc: mtd On Thu, 2009-02-05 at 15:49 +0900, Tim wrote: > I found that UBIFS does not fully support xattr manipulation. This is right. We have very limited xattr support, which has never been tested well, because we do not use it. http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr > I use security context files labeling (in SELinux) that heavily relies > on proper manipulation of xattr by the filesystem. > And issues are: > - ubifs does not store xattr in inode for symbolic link files; Hmm, ok, this should not be too difficult to fix. > - if new file is created on ubifs, xattr should be automatically > updated with security context label, but it does not. I'm very bad in security. Do you mean you need ACL support? This is not supported. > Maybe there is a patch that fixes those issues already? Unfortunately not, you should find a sane SW engineer with a clue and he may upgrade UBIFS, it is doable. We would of course assist. -- Best regards, Artem Bityutskiy (Битюцкий Артём) ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Issues with UBIFS xattr support 2009-02-05 9:30 ` Artem Bityutskiy @ 2009-02-05 23:21 ` Tim 2009-02-06 7:39 ` Artem Bityutskiy 0 siblings, 1 reply; 5+ messages in thread From: Tim @ 2009-02-05 23:21 UTC (permalink / raw) To: dedekind; +Cc: mtd 2009/2/5 Artem Bityutskiy <dedekind@infradead.org>: > On Thu, 2009-02-05 at 15:49 +0900, Tim wrote: >> I found that UBIFS does not fully support xattr manipulation. > > This is right. We have very limited xattr support, which has never been > tested well, because we do not use it. > > http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr > >> I use security context files labeling (in SELinux) that heavily relies >> on proper manipulation of xattr by the filesystem. >> And issues are: >> - ubifs does not store xattr in inode for symbolic link files; > > Hmm, ok, this should not be too difficult to fix. > >> - if new file is created on ubifs, xattr should be automatically >> updated with security context label, but it does not. > > I'm very bad in security. Do you mean you need ACL support? > This is not supported. (I'm not good in filesystems, so sorry if I use some terms inappropriately) No ACL is required, just security namespace in xattr. When new file is created, then new inode should have proper contents of xattr in security namespace. It is typically done by calling security_inode_init_security() and updating xattr in a function responsible for new inode creation. security_inode_init_security() will take care on computing required value for xattr security namespace for new inode. Then security namespace will be fully supported, I think. And security engineers will be happy to use ubifs with SELinux :) >> Maybe there is a patch that fixes those issues already? > > Unfortunately not, you should find a sane SW engineer with a > clue and he may upgrade UBIFS, it is doable. We would of course > assist. Oh... I will try to find one :) Tim ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Issues with UBIFS xattr support 2009-02-05 23:21 ` Tim @ 2009-02-06 7:39 ` Artem Bityutskiy [not found] ` <a5e2b64d0902112248x6fa8b0f2w65ee131086e87bfd@mail.gmail.com> 0 siblings, 1 reply; 5+ messages in thread From: Artem Bityutskiy @ 2009-02-06 7:39 UTC (permalink / raw) To: Tim; +Cc: mtd On Fri, 2009-02-06 at 08:21 +0900, Tim wrote: > 2009/2/5 Artem Bityutskiy <dedekind@infradead.org>: > > On Thu, 2009-02-05 at 15:49 +0900, Tim wrote: > >> I found that UBIFS does not fully support xattr manipulation. > > > > This is right. We have very limited xattr support, which has never been > > tested well, because we do not use it. > > > > http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr > > > >> I use security context files labeling (in SELinux) that heavily relies > >> on proper manipulation of xattr by the filesystem. > >> And issues are: > >> - ubifs does not store xattr in inode for symbolic link files; > > > > Hmm, ok, this should not be too difficult to fix. > > > >> - if new file is created on ubifs, xattr should be automatically > >> updated with security context label, but it does not. > > > > I'm very bad in security. Do you mean you need ACL support? > > This is not supported. > (I'm not good in filesystems, so sorry if I use some terms inappropriately) > No ACL is required, just security namespace in xattr. OK, then thinks must be much simpler. > When new file is created, then new inode should have proper contents > of xattr in security namespace. It is typically done by calling > security_inode_init_security() and updating xattr in a function > responsible for new inode creation. security_inode_init_security() > will take care on computing required value for xattr security > namespace for new inode. OK, this should be easy to add. I'm not sure I have time to do this now, though. But you may try to do this yourself, should not be very difficult. And the "security." namespace seems to be supported. Although it might be not fully supported. I mean, I tested reading, writing, changing xattrs - this works. But some security namespace-specific things might be missing. -- Best regards, Artem Bityutskiy (Битюцкий Артём) ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <a5e2b64d0902112248x6fa8b0f2w65ee131086e87bfd@mail.gmail.com>]
[parent not found: <1234427114.17790.139.camel@localhost.localdomain>]
* Re: Issues with UBIFS xattr support [not found] ` <1234427114.17790.139.camel@localhost.localdomain> @ 2009-02-12 23:03 ` Tim 0 siblings, 0 replies; 5+ messages in thread From: Tim @ 2009-02-12 23:03 UTC (permalink / raw) To: dedekind, mtd 2009/2/12 Artem Bityutskiy <dedekind@infradead.org>: > On Thu, 2009-02-12 at 15:48 +0900, Tim wrote: >> > And the "security." namespace seems to be supported. Although >> > it might be not fully supported. I mean, I tested reading, writing, >> > changing xattrs - this works. But some security namespace-specific >> > things might be missing. I have another question regarding xattr. If I create new ubifs filesystem image using mkfs.ubifs, does this utility read xattrs of original files and include them into the image? I'm especially interested in "security." namespace. Tim ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2009-02-12 23:04 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-02-05 6:49 Issues with UBIFS xattr support Tim
2009-02-05 9:30 ` Artem Bityutskiy
2009-02-05 23:21 ` Tim
2009-02-06 7:39 ` Artem Bityutskiy
[not found] ` <a5e2b64d0902112248x6fa8b0f2w65ee131086e87bfd@mail.gmail.com>
[not found] ` <1234427114.17790.139.camel@localhost.localdomain>
2009-02-12 23:03 ` Tim
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox