From: Dave Chinner <david@fromorbit.com>
To: Ben Myers <bpm@sgi.com>
Cc: Dwight Engen <dwight.engen@oracle.com>, xfs@oss.sgi.com
Subject: Re: [PATCH v7 7/7] enable building user namespace with xfs
Date: Thu, 1 Aug 2013 09:28:52 +1000 [thread overview]
Message-ID: <20130731232852.GE7118@dastard> (raw)
In-Reply-To: <20130731132523.GS3111@sgi.com>
On Wed, Jul 31, 2013 at 08:25:23AM -0500, Ben Myers wrote:
> Hey,
>
> On Wed, Jul 31, 2013 at 10:21:19AM +1000, Dave Chinner wrote:
> > On Tue, Jul 30, 2013 at 06:40:21PM -0500, Ben Myers wrote:
> > > On Mon, Jul 29, 2013 at 11:07:09PM -0400, Dwight Engen wrote:
> > > > >From e6a9ee0cfa0ed40484f66bc1726dc19de36038b8 Mon Sep 17 00:00:00 2001
> > > > From: Dwight Engen <dwight.engen@oracle.com>
> > > > Date: Tue, 2 Jul 2013 09:52:54 -0400
> > > > Subject: [PATCH 7/7] enable building user namespace with xfs
> > > >
> > > > Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
> > >
> > > Was there a patch running around to limit bulkstat to init_user_ns? Any other
> > > items that needed to be addressed before applying this patch?
> >
> > Bulkstat has a capable(CAP_SYS_ADMIN) check and therefore can only be
> > executed in the init name space. Similarly, all the open-by-handle
> > interfaces have the same capable() checks so they can only be
> > executed int he init name space, too.
>
> Gah. I was under the impression that you could have a process with
> CAP_SYS_ADMIN in a namespace other than init_user_ns.
Ben, until about a week and a half ago I was also working under that
same understanding as you. So don't feel bad about not knowing
about this basic, fundamental rule because it is completely
undocumented and it's not obvious to anyone reading the code until
someone points it out....
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2013-07-31 23:29 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-30 3:07 [PATCH v7 7/7] enable building user namespace with xfs Dwight Engen
2013-07-30 23:40 ` Ben Myers
2013-07-31 0:21 ` Dave Chinner
2013-07-31 13:25 ` Ben Myers
2013-07-31 17:09 ` Dwight Engen
2013-07-31 23:28 ` Dave Chinner [this message]
2013-08-01 15:06 ` Ben Myers
2013-08-01 16:17 ` Dwight Engen
2013-08-06 15:11 ` Serge E. Hallyn
2013-08-07 14:59 ` Serge E. Hallyn
2013-08-07 15:01 ` Serge E. Hallyn
2013-08-11 23:57 ` ***** SUSPECTED SPAM ***** " Dave Chinner
2013-07-31 18:19 ` Dwight Engen
2013-07-31 23:43 ` Dave Chinner
2013-08-01 0:54 ` Gao feng
2013-07-31 7:20 ` Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130731232852.GE7118@dastard \
--to=david@fromorbit.com \
--cc=bpm@sgi.com \
--cc=dwight.engen@oracle.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox