public inbox for linux-xfs@vger.kernel.org
 help / color / mirror / Atom feed
From: Dave Chinner <david@fromorbit.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Ben Myers <bpm@sgi.com>, Dwight Engen <dwight.engen@oracle.com>,
	xfs@oss.sgi.com
Subject: ***** SUSPECTED SPAM ***** Re: [PATCH v7 7/7] enable building user namespace with xfs
Date: Mon, 12 Aug 2013 09:57:33 +1000	[thread overview]
Message-ID: <20130811235733.GF12779@dastard> (raw)
In-Reply-To: <20130807145930.GA28565@mail.hallyn.com>

On Wed, Aug 07, 2013 at 02:59:30PM +0000, Serge E. Hallyn wrote:
> Quoting Dave Chinner (david@fromorbit.com):
> > On Wed, Jul 31, 2013 at 08:25:23AM -0500, Ben Myers wrote:
> > > Hey,
> > > 
> > > On Wed, Jul 31, 2013 at 10:21:19AM +1000, Dave Chinner wrote:
> > > > On Tue, Jul 30, 2013 at 06:40:21PM -0500, Ben Myers wrote:
> > > > > On Mon, Jul 29, 2013 at 11:07:09PM -0400, Dwight Engen wrote:
> > > > > > >From e6a9ee0cfa0ed40484f66bc1726dc19de36038b8 Mon Sep 17 00:00:00 2001
> > > > > > From: Dwight Engen <dwight.engen@oracle.com>
> > > > > > Date: Tue, 2 Jul 2013 09:52:54 -0400
> > > > > > Subject: [PATCH 7/7] enable building user namespace with xfs
> > > > > > 
> > > > > > Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
> > > > > 
> > > > > Was there a patch running around to limit bulkstat to init_user_ns?  Any other
> > > > > items that needed to be addressed before applying this patch?
> > > > 
> > > > Bulkstat has a capable(CAP_SYS_ADMIN) check and therefore can only be
> > > > executed in the init name space. Similarly, all the open-by-handle
> > > > interfaces have the same capable() checks so they can only be
> > > > executed int he init name space, too.
> > > 
> > > Gah.  I was under the impression that you could have a process with
> > > CAP_SYS_ADMIN in a namespace other than init_user_ns.
> > 
> > Ben, until about a week and a half ago I was also working under that
> > same understanding as you.  So don't feel bad about not knowing
> > about this basic, fundamental rule because it is completely
> > undocumented and it's not obvious to anyone reading the code until
> > someone points it out....
> 
> It's actually all documented in new manpages like namespaces(7) and
> user_namespaces(7).  Unfortunately those don't seem to have been released yet.

User facing documentation goes in man pages.

My comments about the above point at the fact that there is no
developer facing documentation that tell us how to safely and
*securely* implement namespace support in different filesystems.
Information on the architecture, design and use of internal kernel
infrastructure for kernel developers should be in the Documentation/
subdirectory of the kernel tree.

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

  parent reply	other threads:[~2013-08-11 23:57 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-30  3:07 [PATCH v7 7/7] enable building user namespace with xfs Dwight Engen
2013-07-30 23:40 ` Ben Myers
2013-07-31  0:21   ` Dave Chinner
2013-07-31 13:25     ` Ben Myers
2013-07-31 17:09       ` Dwight Engen
2013-07-31 23:28       ` Dave Chinner
2013-08-01 15:06         ` Ben Myers
2013-08-01 16:17           ` Dwight Engen
2013-08-06 15:11             ` Serge E. Hallyn
2013-08-07 14:59         ` Serge E. Hallyn
2013-08-07 15:01           ` Serge E. Hallyn
2013-08-11 23:57           ` Dave Chinner [this message]
2013-07-31 18:19     ` Dwight Engen
2013-07-31 23:43       ` Dave Chinner
2013-08-01  0:54         ` Gao feng
2013-07-31  7:20 ` Gao feng

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130811235733.GF12779@dastard \
    --to=david@fromorbit.com \
    --cc=bpm@sgi.com \
    --cc=dwight.engen@oracle.com \
    --cc=serge@hallyn.com \
    --cc=xfs@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox