From: mtk.manpages@gmail.com (Michael Kerrisk (man-pages))
To: linux-security-module@vger.kernel.org
Subject: [manpages PATCH] capabilities.7: describe namespaced file capabilities
Date: Fri, 13 Apr 2018 21:29:20 +0200 [thread overview]
Message-ID: <770ed948-c807-36d8-b946-ce6f60ffbf67@gmail.com> (raw)
In-Reply-To: <20180116173803.GA15538@mail.hallyn.com>
On 01/16/2018 06:38 PM, Serge E. Hallyn wrote:
> Quoting Jann Horn (jannh at google.com):
>> On Tue, Jan 9, 2018 at 7:52 PM, Serge E. Hallyn <serge@hallyn.com> wrote:
[...]
>>> +A VFS_CAP_REVISION_3 file capability will take effect only when run in a user namespace
>>> +whose UID 0 maps to the saved "nsroot", or a descendant of such a namespace.
>>> +.PP
>>> +Users with the required privilege may use
>>> +.BR setxattr(2)
>>> +to request either a VFS_CAP_REVISION_2 or VFS_CAP_REVISION_3 write.
>>> +The kernel will automatically convert a VFS_CAP_REVISION_2 to a
>>> +VFS_CAP_REVISION_3 extended attribute with the "nsroot"
>>> +set to the root user in the writer's user namespace, or, if a VFS_CAP_REVISION_3
>>> +extended attribute is specified, then the kernel will map the
>>> +specified root user ID (which must be a valid user ID mapped in the caller's
>>> +user namespace) into the initial user namespace.
>>
>> Really, "into the initial user namespace"? That may be true for the
>> kernel-internal representation, but the on-disk representation is the
>> mapping into the user namespace that contains the mount namespace into
>> which the file system was mounted, right?
>
> Ah, yes, it is.
>
>> This would become observable
>> when a file system is mounted in a different namespace than before, or
>> when working with FUSE in a namespace.
>
> Yes it would.
>
> Michael, you said you were reworking it, do you mind working this into
> it as well?
So, I must confess that I don't really understand this piece of the
conversation--neither Jann's comments nor Serge's response (Serge, are
you saying Jann is right or wrong in his comments?). Perhaps this can
be clarified as a response to the man page text in the other mail I
just sent?
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-04-13 19:29 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-09 18:52 [manpages PATCH] capabilities.7: describe namespaced file capabilities Serge E. Hallyn
2018-01-14 9:40 ` Michael Kerrisk (man-pages)
2018-01-15 4:31 ` Serge E. Hallyn
2018-01-16 17:26 ` Jann Horn
2018-01-16 17:38 ` Serge E. Hallyn
2018-01-17 23:44 ` Michael Kerrisk (man-pages)
2018-04-13 19:29 ` Michael Kerrisk (man-pages) [this message]
2018-04-15 19:22 ` Serge E. Hallyn
2018-04-22 16:46 ` Michael Kerrisk (man-pages)
2018-04-23 17:57 ` Serge E. Hallyn
2018-04-24 15:13 ` Eric W. Biederman
2018-04-13 19:26 ` Michael Kerrisk (man-pages)
2018-04-16 14:10 ` Jann Horn
2018-04-19 23:57 ` Serge E. Hallyn
2018-05-04 15:10 ` Michael Kerrisk (man-pages)
2018-04-20 0:04 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=770ed948-c807-36d8-b946-ce6f60ffbf67@gmail.com \
--to=mtk.manpages@gmail.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).