Re: [PATCH v3 3/5] firmware: fold successful fw read early

On Wed, Dec 23, 2015 at 4:34 PM, Luis R. Rodriguez wrote: > From: David Howells > > We'll be folding in some more checks on fw_read_file_contents(), > this will make the success case easier to follow. > > Signed-off-by: David Howells

Re: [PATCH v3 1/5] firmware: generalize "firmware" as "system data" helpers

On Wed, Dec 23, 2015 at 1:34 PM, Luis R. Rodriguez wrote: > From: "Luis R. Rodriguez" > > Historically firmware_class code was added to help > get device driver firmware binaries but these days > request_firmware*() helpers are being repurposed for >

Re: [PATCH v3 5/5] firmware: add an extensible system data helpers

On Wed, Dec 23, 2015 at 1:34 PM, Luis R. Rodriguez wrote: > From: "Luis R. Rodriguez" > > The firmware API has evolved over the years slowly, as it > grows we extend it by adding new routines or at times we extend > existing routines with more or less

Re: [PATCH v3 2/5] firmware: move completing fw into a helper

On Wed, Dec 23, 2015 at 4:34 PM, Luis R. Rodriguez wrote: > From: "Luis R. Rodriguez" > > This will be re-used later through a new extensible interface. > > Signed-off-by: Luis R. Rodriguez Reviewed-by: Josh Boyer

[PATCH 0/4] X.509: Fix time handling

Here's a set of patches that fix X.509 time handling in three ways: (1) Fix leap year handling. (2) Add leap second handling (where you get a time of 23:59:60). (3) Add end-of-day midnight encoding (where you get a time of 24:00:00). David --- David Howells (4): X.509: Fix leap year

[RFC PATCH 2/4] Handle ISO 8601 leap seconds and encodings of midnight in mktime64()

Handle the following ISO 8601 features in mktime64(): (1) Leap seconds. Leap seconds are indicated by the seconds parameter being the value 60. Handle this by treating it the same as 00 of the following minute. (2) Alternate encodings of midnight. Two different encodings

[RFC PATCH 4/4] X.509: Handle midnight alternative notation in GeneralizedTime

The ASN.1 GeneralizedTime object carries an ISO 8601 format date and time. The time is permitted to show midnight as 00:00 or 24:00 (the latter being equivalent of 00:00 of the following day). The permitted value is checked in x509_decode_time() but the actual handling is left to mktime64().

[RFC PATCH 3/4] X.509: Support leap seconds

The format of ASN.1 GeneralizedTime seems to be specified by ISO 8601 [X.680 46.3] and this apparently supports leap seconds (ie. the seconds field is 60). It's not entirely clear that ASN.1 expects it, but we can relax the seconds check slightly for GeneralizedTime. This results in us passing a

[PATCH RESEND v2 07/18] fs: Check for invalid i_uid in may_follow_link()

Filesystem uids which don't map into a user namespace may result in inode->i_uid being INVALID_UID. A symlink and its parent could have different owners in the filesystem can both get mapped to INVALID_UID, which may result in following a symlink when this would not have otherwise been permitted

[PATCH RESEND v2 05/18] userns: Replace in_userns with current_in_userns

All current callers of in_userns pass current_user_ns as the first argument. Simplify by replacing in_userns with current_in_userns which checks whether current_user_ns is in the namespace supplied as an argument. Signed-off-by: Seth Forshee Acked-by: James Morris

[PATCH RESEND v2 00/19] Support fuse mounts in user namespaces

These patches implement support for mounting filesystems in user namespaces using fuse. They are based on the patches in the for-testing branch of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git, but I've rebased them onto 4.4-rc3. I've pushed all of this to:

[PATCH RESEND v2 18/18] fuse: Allow user namespace mounts

Signed-off-by: Seth Forshee --- fs/fuse/inode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index b7bdfdac3521..2fd338c199ce 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -1201,7 +1201,7 @@ static

[PATCH RESEND v2 03/18] fs: Treat foreign mounts as nosuid

From: Andy Lutomirski If a process gets access to a mount from a different user namespace, that process should not be able to take advantage of setuid files or selinux entrypoints from that filesystem. Prevent this by treating mounts from other mount namespaces and those

[PATCH RESEND v2 17/18] fuse: Restrict allow_other to the superblock's namespace or a descendant

Unprivileged users are normally restricted from mounting with the allow_other option by system policy, but this could be bypassed for a mount done with user namespace root permissions. In such cases allow_other should not allow users outside the userns to access the mount as doing so would give

[PATCH RESEND v2 08/18] cred: Reject inodes with invalid ids in set_create_file_as()

Using INVALID_[UG]ID for the LSM file creation context doesn't make sense, so return an error if the inode passed to set_create_file_as() has an invalid id. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn --- kernel/cred.c | 2 ++ 1

[PATCH RESEND v2 09/18] fs: Refuse uid/gid changes which don't map into s_user_ns

Add checks to inode_change_ok to verify that uid and gid changes will map into the superblock's user namespace. If they do not fail with -EOVERFLOW. This cannot be overriden with ATTR_FORCE. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn

[PATCH RESEND v2 16/18] fuse: Support fuse filesystems outside of init_user_ns

In order to support mounts from namespaces other than init_user_ns, fuse must translate uids and gids to/from the userns of the process servicing requests on /dev/fuse. This patch does that, with a couple of restrictions on the namespace: - The userns for the fuse connection is fixed to the

[PATCH RESEND v2 14/18] capabilities: Allow privileged user in s_user_ns to set security.* xattrs

A privileged user in s_user_ns will generally have the ability to manipulate the backing store and insert security.* xattrs into the filesystem directly. Therefore the kernel must be prepared to handle these xattrs from unprivileged mounts, and it makes little sense for commoncap to prevent

[PATCH RESEND v2 12/18] fs: Don't remove suid for CAP_FSETID in s_user_ns

Expand the check in should_remove_suid() to keep privileges for CAP_FSETID in s_user_ns rather than init_user_ns. Signed-off-by: Seth Forshee Acked-by: Serge Hallyn --- fs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

[PATCH RESEND v2 04/18] selinux: Add support for unprivileged mounts from user namespaces

Security labels from unprivileged mounts in user namespaces must be ignored. Force superblocks from user namespaces whose labeling behavior is to use xattrs to use mountpoint labeling instead. For the mountpoint label, default to converting the current task context into a form suitable for file

[PATCH RESEND v2 15/18] fuse: Add support for pid namespaces

If the userspace process servicing fuse requests is running in a pid namespace then pids passed via the fuse fd need to be translated relative to that namespace. Capture the pid namespace in use when the filesystem is mounted and use this for pid translation. Since no use case currently exists

[PATCH RESEND v2 13/18] fs: Allow superblock owner to access do_remount_sb()

Superblock level remounts are currently restricted to global CAP_SYS_ADMIN, as is the path for changing the root mount to read only on umount. Loosen both of these permission checks to also allow CAP_SYS_ADMIN in any namespace which is privileged towards the userns which originally mounted the

[PATCH RESEND v2 02/18] block_dev: Check permissions towards block device inode when mounting

Unprivileged users should not be able to mount block devices when they lack sufficient privileges towards the block device inode. Update blkdev_get_by_path() to validate that the user has the required access to the inode at the specified path. The check will be skipped for CAP_SYS_ADMIN, so

[PATCH RESEND v2 11/18] fs: Ensure the mounter of a filesystem is privileged towards its inodes

The mounter of a filesystem should be privileged towards the inodes of that filesystem. Extend the checks in inode_owner_or_capable() and capable_wrt_inode_uidgid() to permit access by users priviliged in the user namespace of the inode's superblock. Signed-off-by: Seth Forshee