notify_change() already calls security_inode_setattr() before
calling iop-setattr.
Signed-off-by: Steve Beattie [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/proc/proc_sysctl.c |7 ++-
1 file changed, 2
notify_change() already calls security_inode_setattr() before
calling iop-setattr.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/proc/base.c |7 ++-
1 file changed, 2 insertions(+),
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/nfsd/nfs4xdr.c |2 +-
fs/nfsd/vfs.c
First, when d_path() hits a lazily unmounted mount point, it tries to prepend
the name of the lazily unmounted dentry to the path name. It gets this wrong,
and also overwrites the slash that separates the name from the following
pathname component.
Second, it isn't always possible to tell from
All the things that didn't nicely fit in a category on their own: kbuild
code, declararions and inline functions, /sys/kernel/security/apparmor
filesystem for controlling apparmor from user space, profile list
functions, locking documentation, /proc/$pid/task/$tid/attr/current
access.
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/nfsd/vfs.c | 16 +++-
fs/xattr.c
Module parameters, LSM hooks, initialization and teardown.
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
---
security/apparmor/lsm.c | 829
1 file changed, 829 insertions(+)
--- /dev/null
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |5 -
fs/namei.c | 10
Right now, the path that __d_path() computes can become slightly
inconsistent when it races with mount operations: it grabs the
vfsmount_lock when traversing mount points, but immediately drops it
again, only to re-grab it when it reaches the next mount point.
The result is that the filename
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c |2 +-
include/linux/security.h | 15 +--
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |9 +++--
fs/namei.c |
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h |7 +--
Adds necessary export symbols for audit subsystem routines.
Changes audit_log_vformat to be externally visible (analagous to vprintf)
Patch is not in mainline -- pending AppArmor code submission to lkml
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL
Pass struct path to remove_suid and should_remove_suid instead of
only the dentry. Required by a later patch that adds a struct
vfsmount parameter to notify_change().
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen
Pathname matching, transition table loading, profile loading and
manipulation.
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
---
security/apparmor/match.c| 232
security/apparmor/match.h| 83
Struct iattr already contains ia_file since commit cc4e69de from
Miklos (which is related to commit befc649c). Use this to pass
struct file down the setattr hooks. This allows LSMs to distinguish
operations on file descriptors from operations on paths.
Signed-off-by: Andreas Gruenbacher [EMAIL
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |4 +++-
fs/namei.c |6
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h |8 ++--
The vfsmount parameter must be set appropriately for files visibile
outside the kernel. Files that are only used in a filesystem (e.g.,
reiserfs xattr files) will have a NULL vfsmount.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by:
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/nfsd/vfs.c |3 ++-
fs/xattr.c| 12
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c |2 +-
include/linux/security.h | 12 +++-
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
---
security/Kconfig |1 +
security/Makefile |1 +
2 files changed, 2 insertions(+)
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -94,6 +94,7 @@ config SECURITY_ROOTPLUG
If
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/stat.c|2 +-
include/linux/security.h | 11 +++
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h | 12
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |6 --
include/linux/security.h | 18
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c |4 ++--
include/linux/security.h | 40
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |3 ++-
fs/namei.c|4
The underlying functions by which the AppArmor LSM hooks are implemented.
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
---
security/apparmor/main.c | 1322 +++
1 file changed, 1322 insertions(+)
On Wed, Apr 11, 2007 at 07:49:38PM -0700, Nate Diller wrote:
read_mapping_page_async() is going away, so convert its only user to
read_mapping_page(). This change has not been benchmarked, however, in
order to get real parallelism this wants something completely different,
like
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h | 12
This post contains patches to include the AppArmor application security
framework, with request for inclusion.
The patch series consists of four areas:
(1) Pass struct vfsmount through to LSM hooks.
Tony Jones has posted almost all of these patches here before on
February 5; the
Third, sys_getcwd() shouldn't return disconnected paths. The patch checks for
that, and makes it fail with -ENOENT in that case
That is a fairly significant and sudden change to the existing
kernel/user interface.
Fourth, this now allows us to tell unreachable mount points from reachable
In AppArmor we are interested in pathnames relative to the namespace
root. Except for the root where the search ends, this is the same as
d_path(). Add d_namespace_path() for that.
internals.
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Reviewed-by: John Johansen [EMAIL PROTECTED]
---
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |7 ++-
fs/namei.c | 19
If we unhash the dentry before calling the security_inode_rmdir hook,
we cannot compute the file's pathname in the hook anymore. AppArmor
needs to know the filename in order to decide whether a file may be
deleted, though.
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h |9 ++---
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c |2 +-
include/linux/security.h | 13 -
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c| 25 ++---
On Thu, 12 Apr 2007 02:08:12 -0700
[EMAIL PROTECTED] wrote:
notify_change() already calls security_inode_setattr() before
calling iop-setattr.
This is a behaviour change on all of these and limits some behaviour of
existing established security modules
When inode_change_ok is called it has
On Thu, Apr 12, 2007 at 02:08:10AM -0700, [EMAIL PROTECTED] wrote:
This is needed for computing pathnames in the AppArmor LSM.
Which is an argument against said LSM in current form.
- error = security_inode_create(dir, dentry, mode);
+ error = security_inode_create(dir, dentry, nd ?
+
+ /**
+ * parent can ptrace child when
+ * - parent is unconfined
+ * - parent is in complain mode
+ * - parent and child are confined by the same profile
+ */
Your profiles are name based. That means the same profile in a different
namespace does different
+ th.td_id = ntohs(*(u16 *) (blob));
+ th.td_flags = ntohs(*(u16 *) (blob + 2));
+ th.td_lolen = ntohl(*(u32 *) (blob + 8));
Use cpu_to and _to_cpu functions for here so it is clear the intended
direction and endianness.
+
+static inline int aa_inbounds(struct aa_ext *e, size_t
On Thu, Apr 12, 2007 at 02:08:49AM -0700, [EMAIL PROTECTED] wrote:
+ } else if (profile1 profile2) {
+ /* profile1 cannot be NULL here. */
+ spin_lock_irqsave(profile1-lock, profile1-int_flags);
+ if (profile2)
+
[EMAIL PROTECTED] wrote:
This post contains patches to include the AppArmor application security
framework, with request for inclusion.
question in general, these seems like a fairly invasive series of
patches. back when I first started graduate school, I prototyped a
relatively simple
+ * aa_taskattr_access
+ * @name: name of the file to check
+ *
+ * Check if name matches /proc/self/attr/current, with self resolved
+ * to the current pid. This file is the usermode iterface for
+ * changing one's hat.
+ */
+static inline int aa_taskattr_access(const char *name)
+{
+
+char *d_namespace_path(struct dentry *dentry, struct vfsmount *vfsmnt,
+char *buf, int buflen)
+{
+ char *res;
+ struct vfsmount *rootmnt, *nsrootmnt;
+ struct dentry *root;
+
+ read_lock(current-fs-lock);
+ rootmnt = mntget(current-fs-rootmnt);
+
Nate Diller [EMAIL PROTECTED] wrote:
-static struct page *afs_dir_get_page(struct inode *dir, unsigned long index)
NAK. This conflicts with my AFS security patches, and eliminates any way of
passing the key through to readpage().
David
-
To unsubscribe from this list: send the line
I'm interested in getting input for implementing an ioctl to efficiently
map file extents holes (FIEMAP) instead of looping over FIBMAP a billion
times. We already have customers with single files in the 10TB range and
we additionally need to get the mapping over the network so it needs to
be
Hi Andreas,
On 12 Apr 2007, at 12:05, Andreas Dilger wrote:
I'm interested in getting input for implementing an ioctl to
efficiently
map file extents holes (FIEMAP) instead of looping over FIBMAP a
billion
times. We already have customers with single files in the 10TB
range and
we
Hi,
On Thu, 12 Apr 2007, Christoph Hellwig wrote:
On Wed, Apr 11, 2007 at 07:49:38PM -0700, Nate Diller wrote:
read_mapping_page_async() is going away, so convert its only user to
read_mapping_page(). This change has not been benchmarked, however, in
order to get real parallelism this
[EMAIL PROTECTED] writes:
[didn't review code fully, just some stuff I noticed]
+
+struct aa_dfa {
+ struct table_header *tables[YYTD_ID_NXT];
+};
If that is passed in from user space you would need special compat
code for 64bit kernels who support 32bit userland.
Better to avoid
Nate Diller wrote:
+ page = read_cache_page(OFNI_EDONI_2SFFJ(f)-i_mapping,
+ start PAGE_CACHE_SHIFT,
+ (void *)jffs2_do_readpage_unlock,
+ OFNI_EDONI_2SFFJ(f));
- if (IS_ERR(pg_ptr)) {
+ if
On Thu, 2007-04-12 at 06:48 +0200, Nick Piggin wrote:
http://www.kernel.org/pub/linux/kernel/people/npiggin/patches/new-aops/
2.6.21-rc6-new-aops*
New aops patchset against 2.6.21-rc6.
Building modules, stage 2.
MODPOST 558 modules
WARNING: .cont_prepare_write [fs/hfsplus/hfsplus.ko]
From: Miklos Szeredi [EMAIL PROTECTED]
If MNT_NS_PERMIT_USERMOUNTS flag is not set for the current namespace,
then unprivileged mounts will be denied.
By default this flag is cleared in all namespaces.
Signed-off-by: Miklos Szeredi [EMAIL PROTECTED]
---
Index: linux/fs/namespace.c
This patchset adds support for keeping mount ownership information in
the kernel, and allow unprivileged mount(2) and umount(2) in certain
cases.
This can be useful for the following reasons:
- mount(8) can store ownership (user=XY option) in the kernel
instead, or in addition to storing it in
From: Miklos Szeredi [EMAIL PROTECTED]
Add ownership information to mounts.
A new mount flag, MS_SETUSER is used to make a mount owned by a user.
If this flag is specified, then the owner will be set to the current
real user id and the mount will be marked with the MNT_USER flag. On
remount
From: Miklos Szeredi [EMAIL PROTECTED]
Allow bind mounts to unprivileged users if the following conditions
are met:
- user mounts are permitted in the current mount namespace
- mountpoint is not a symlink or special file
- mountpoint is not a sticky directory or is owned by the current
From: Miklos Szeredi [EMAIL PROTECTED]
Use FS_SAFE for fuse fs type, but not for fuseblk.
FUSE was designed from the beginning to be safe for unprivileged
users. This has also been verified in practice over many years. And
unprivileged fuse mounts still require a private namespace with user
From: Miklos Szeredi [EMAIL PROTECTED]
Allow clone_mnt() to return errors other than ENOMEM. This will be
used for returning a different error value when the number of user
mounts goes over the limit.
Fix copy_tree() to return EPERM for unbindable mounts.
Don't propagate further from
From: Miklos Szeredi [EMAIL PROTECTED]
Add sysctl variables for accounting and limiting the number of user
mounts.
The maximum number of user mounts is set to 1024 by default. This
won't in itself enable user mounts, setting the permit user mount in
namespace flag will also be needed.
From: Miklos Szeredi [EMAIL PROTECTED]
Define a new fs flag FS_SAFE, which denotes, that unprivileged
mounting of this filesystem may not constitute a security problem.
Since most filesystems haven't been designed with unprivileged
mounting in mind, a thorough audit is needed before setting this
From: Miklos Szeredi [EMAIL PROTECTED]
The owner doesn't need sysadmin capabilities to call umount().
Similar behavior as umount(8) on mounts having user=UID option in
/etc/mtab. The difference is that umount also checks /etc/fstab,
presumably to exclude another mount on the same mountpoint.
From: Miklos Szeredi [EMAIL PROTECTED]
If CLONE_NEWNS and CLONE_NEWNS_USERMNT are given to clone(2) or
unshare(2), then allow user mounts within the new namespace.
This is not flexible enough, because user mounts can't be enabled for
the initial namespace.
The remaining clone bits also getting
Did some performance testing of the fuse_perform_write implementation.
Result with a passthrough filesystem onto a backing tmpfs directory is that
bulk (1MB) writes are nearly 4 times faster (256MB/s vs 71MB/s), because
FUSE can send larger requests to userspace. Block based filesystems will
On Thu, Apr 12, 2007 at 06:48:52AM +0200, Nick Piggin wrote:
Need to think about how to merge this.
Maybe a spin in -mm? That'll have to be minus fs-ocfs2-aops.patch, but I'm
just working out the last few issues in a new one for you anyway. FWIW, I'm
very happy with the way these patches have
On 4/12/07, David Howells [EMAIL PROTECTED] wrote:
Nate Diller [EMAIL PROTECTED] wrote:
-static struct page *afs_dir_get_page(struct inode *dir, unsigned long index)
NAK. This conflicts with my AFS security patches, and eliminates any way of
passing the key through to readpage().
Hmmm
On 4/12/07, Phillip Lougher [EMAIL PROTECTED] wrote:
Nate Diller wrote:
+ page = read_cache_page(OFNI_EDONI_2SFFJ(f)-i_mapping,
+ start PAGE_CACHE_SHIFT,
+ (void *)jffs2_do_readpage_unlock,
+
On 4/12/07, Roman Zippel [EMAIL PROTECTED] wrote:
Hi,
On Thu, 12 Apr 2007, Christoph Hellwig wrote:
On Wed, Apr 11, 2007 at 07:49:38PM -0700, Nate Diller wrote:
read_mapping_page_async() is going away, so convert its only user to
read_mapping_page(). This change has not been benchmarked,
Nate Diller wrote:
wow, you're right. I was sure I compile-tested this ... oh, depends
on MTD. oops.
thanks for reviewing. does it look OK to you otherwise?
Yes..
NATE
-
To unsubscribe from this list: send the line unsubscribe linux-fsdevel in
the body of a message to [EMAIL
Nate Diller [EMAIL PROTECTED] wrote:
Hmmm you're right. Is your security work going into the next -mm?
I don't know. Andrew hasn't said anything. Andrew? Are you waiting for it
to go through DaveM's networking tree?
If so, I'll just re-base this cleanup patch on that ... at the very least
On Thu, 12 Apr 2007 19:57:23 +0100
David Howells [EMAIL PROTECTED] wrote:
Hmmm you're right. Is your security work going into the next -mm?
I don't know. Andrew hasn't said anything. Andrew? Are you waiting for it
to go through DaveM's networking tree?
AF_RXRPC is a davem thing and
On 4/12/07, David Howells [EMAIL PROTECTED] wrote:
Nate Diller [EMAIL PROTECTED] wrote:
Hmmm you're right. Is your security work going into the next -mm?
I don't know. Andrew hasn't said anything. Andrew? Are you waiting for it
to go through DaveM's networking tree?
If so, I'll just
Andrew Morton [EMAIL PROTECTED] wrote:
Hmmm you're right. Is your security work going into the next -mm?
I don't know. Andrew hasn't said anything. Andrew? Are you waiting for it
to go through DaveM's networking tree?
AF_RXRPC is a davem thing and AFS: Add security support and
Nate Diller [EMAIL PROTECTED] wrote:
but that's a lot of code to avoid a single stack allocation. The
whole fake file pointer thing still strikes me as a little ugly, and
you're definitely not the first one who needed this sort of hackery.
ugh
A better way might be to stick a void * in
Hi!
AppArmor's Overall Design
=
AppArmor protects systems from vulnerable software by confining
processes, giving them least privilege access to the system's
resources: with least privilege, processes are allowed exactly what they
need, nothing more, and nothing
hello,
we're looking for some input regarding expanding fcntl(2) file leases
somewhat, in order to implement NFSv4 file delegations.
somewhat similar to Samba and OPLOCKs, NFSv4 file delegations are
implemented with leases. however, the current lease subsystem only breaks
leases
Quoting Miklos Szeredi ([EMAIL PROTECTED]):
From: Miklos Szeredi [EMAIL PROTECTED]
If CLONE_NEWNS and CLONE_NEWNS_USERMNT are given to clone(2) or
unshare(2), then allow user mounts within the new namespace.
This is not flexible enough, because user mounts can't be enabled for
the initial
On Thu, Apr 12, 2007 at 07:05:02PM +0200, Miklos Szeredi wrote:
Did some performance testing of the fuse_perform_write implementation.
Result with a passthrough filesystem onto a backing tmpfs directory is that
bulk (1MB) writes are nearly 4 times faster (256MB/s vs 71MB/s), because
FUSE
On Thu, Apr 12, 2007 at 10:27:34AM -0700, Mark Fasheh wrote:
On Thu, Apr 12, 2007 at 06:48:52AM +0200, Nick Piggin wrote:
Need to think about how to merge this.
Maybe a spin in -mm? That'll have to be minus fs-ocfs2-aops.patch, but I'm
just working out the last few issues in a new one for
On Thu, 2007-04-12 at 05:05 -0600, Andreas Dilger wrote:
I'm interested in getting input for implementing an ioctl to efficiently
map file extents holes (FIEMAP) instead of looping over FIBMAP a billion
times. We already have customers with single files in the 10TB range and
we additionally
On Apr 12, 2007 12:22 +0100, Anton Altaparmakov wrote:
On 12 Apr 2007, at 12:05, Andreas Dilger wrote:
I'm interested in getting input for implementing an ioctl to
efficiently map file extents holes (FIEMAP) instead of looping
over FIBMAP a billion times. We already have customers with
On Thu, Apr 12, 2007 at 03:32:08PM -0500, Serge E. Hallyn wrote:
Quoting Miklos Szeredi ([EMAIL PROTECTED]):
From: Miklos Szeredi [EMAIL PROTECTED]
If CLONE_NEWNS and CLONE_NEWNS_USERMNT are given to clone(2) or
unshare(2), then allow user mounts within the new namespace.
This is not
Serge E. Hallyn [EMAIL PROTECTED] writes:
Quoting Miklos Szeredi ([EMAIL PROTECTED]):
From: Miklos Szeredi [EMAIL PROTECTED]
If CLONE_NEWNS and CLONE_NEWNS_USERMNT are given to clone(2) or
unshare(2), then allow user mounts within the new namespace.
This is not flexible enough, because
83 matches
Mail list logo
