On Tue, May 29, 2018 at 04:45:59PM +0200, Miklos Szeredi wrote:
> From: Vivek Goyal
>
> ovl_open() should open file which contains data and not open metacopy
> inode. With the introduction of metacopy inodes, with current
> implementaion we will end up opening metacopy inode as
On Mon, May 14, 2018 at 09:58:03AM -0400, Vivek Goyal wrote:
[..]
> Talked to Dan and he mentioned that he was trying to test entrypoint
> failure (and not exec failure) and that's whey he might have allowed exec
> to mounter.
>
> I think that current entrypoint test'
On Fri, May 11, 2018 at 03:42:48PM -0400, Vivek Goyal wrote:
> On Fri, May 11, 2018 at 02:54:30PM -0400, Vivek Goyal wrote:
> > On Mon, May 07, 2018 at 10:37:54AM +0200, Miklos Szeredi wrote:
> > > Let overlayfs do its thing when opening a file.
> > >
> > >
On Fri, May 11, 2018 at 02:54:30PM -0400, Vivek Goyal wrote:
> On Mon, May 07, 2018 at 10:37:54AM +0200, Miklos Szeredi wrote:
> > Let overlayfs do its thing when opening a file.
> >
> > This enables stacking and fixes the corner case when a file is opened for
> &g
On Mon, May 07, 2018 at 10:37:54AM +0200, Miklos Szeredi wrote:
> Let overlayfs do its thing when opening a file.
>
> This enables stacking and fixes the corner case when a file is opened for
> read, modified through a writable open, and data is read from the read-only
> file. After this patch th
On Mon, May 07, 2018 at 10:37:42AM +0200, Miklos Szeredi wrote:
> Signed-off-by: Miklos Szeredi
> ---
> fs/overlayfs/super.c | 4
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
> index e8551c97de51..ad6a5baf226b 100644
> --- a/fs/overlayfs/sup
On Thu, Apr 26, 2018 at 05:01:37PM +0200, Miklos Szeredi wrote:
> On Thu, Apr 26, 2018 at 4:56 PM, Vivek Goyal wrote:
> > On Thu, Apr 26, 2018 at 04:43:53PM +0200, Miklos Szeredi wrote:
> >> On Thu, Apr 26, 2018 at 4:13 PM, Vivek Goyal wrote:
> >> > On Thu, Ap
On Thu, Apr 26, 2018 at 04:43:53PM +0200, Miklos Szeredi wrote:
> On Thu, Apr 26, 2018 at 4:13 PM, Vivek Goyal wrote:
> > On Thu, Apr 12, 2018 at 05:08:00PM +0200, Miklos Szeredi wrote:
> >
> > [..]
> >> diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> &
On Thu, Apr 12, 2018 at 05:08:00PM +0200, Miklos Szeredi wrote:
[..]
> diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> new file mode 100644
> index ..a0b606885c41
> --- /dev/null
> +++ b/fs/overlayfs/file.c
> @@ -0,0 +1,76 @@
> +/*
> + * Copyright (C) 2017 Red Hat, Inc.
> + *
On Thu, Apr 12, 2018 at 05:07:58PM +0200, Miklos Szeredi wrote:
> Copy i_size of the underlying inode to the overlay inode in ovl_copyattr().
>
> This is in preparation for stacking I/O operations on overlay files.
>
> This patch shouldn't have any observable effect.
>
> Signed-off-by: Miklos Sz
On Mon, Apr 23, 2018 at 03:39:45PM +0200, Miklos Szeredi wrote:
> On Mon, Apr 23, 2018 at 3:36 PM, Vivek Goyal wrote:
> > On Thu, Apr 12, 2018 at 05:08:04PM +0200, Miklos Szeredi wrote:
> >> Implement stacked fsync().
> >>
> >> Signed-off-by: Miklos Szeredi
On Thu, Apr 12, 2018 at 05:08:04PM +0200, Miklos Szeredi wrote:
> Implement stacked fsync().
>
> Signed-off-by: Miklos Szeredi
> ---
> fs/overlayfs/file.c | 20
> 1 file changed, 20 insertions(+)
>
> diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> index b98204c1c19
On Wed, Apr 18, 2018 at 03:49:02PM +0200, Miklos Szeredi wrote:
> On Wed, Apr 18, 2018 at 3:38 PM, Steven Rostedt wrote:
> > On Wed, 18 Apr 2018 13:42:03 +0200
> > Miklos Szeredi wrote:
> >
> >> On Wed, Apr 18, 2018 at 10:19 AM, Amir Goldstein
> >> wrote:
> >> > On Thu, Apr 12, 2018 at 6:08 PM,
On Thu, Apr 12, 2018 at 05:08:15PM +0200, Miklos Szeredi wrote:
> This reverts commit cd91304e7190b4c4802f8e413ab2214b233e0260.
>
> Overlayfs no longer relies on the vfs correct atime handling.
>
> Signed-off-by: Miklos Szeredi
> ---
> fs/inode.c | 21 -
> fs/ove
On Thu, Apr 12, 2018 at 05:07:55PM +0200, Miklos Szeredi wrote:
> Copy up mtime and ctime to overlay inode after times in real object are
> modified. Be careful not to dirty cachelines when not necessary.
>
> This is in preparation for moving overlay functionality out of the VFS.
>
> This patch
ned-off-by from its author.
>
> Hi Steven,
>
> AFAIK for trivial work we are not required to get a signoff from the author.
I am fine with putting my Signed-off-by, if it is required.
Signed-off-by: Vivek Goyal
BTW, I also posted same patch in next series with Signed-off-by:
https://www.spinics.net/lists/linux-unionfs/msg04510.html
Thanks
Vivek
On Mon, Dec 18, 2017 at 12:39:50PM -0800, Khazhismel Kumykov wrote:
> On Mon, Dec 18, 2017 at 10:29 AM, Vivek Goyal wrote:
> > On Mon, Dec 18, 2017 at 10:16:02AM -0800, Khazhismel Kumykov wrote:
> >> On Mon, Nov 20, 2017 at 8:36 PM, Khazhismel Kumykov
> >> wrote:
>
On Mon, Dec 18, 2017 at 10:16:02AM -0800, Khazhismel Kumykov wrote:
> On Mon, Nov 20, 2017 at 8:36 PM, Khazhismel Kumykov wrote:
> > On Fri, Nov 17, 2017 at 11:26 AM, Shaohua Li wrote:
> >> On Thu, Nov 16, 2017 at 08:25:58PM -0800, Khazhismel Kumykov wrote:
> >>> On Thu, Nov 16, 2017 at 8:50 AM,
On Thu, Nov 16, 2017 at 08:50:33AM -0800, Shaohua Li wrote:
[..]
> Can you describe why we need this? It would be great if you can describe the
> usage model and an example. Does this work for io.low/io.max or both?
Hi Shaohua,
Is there any documentation for "io.low" somewhere now. Should we upd
On Wed, Jun 28, 2017 at 04:01:48PM -0600, Ross Zwisler wrote:
> To be able to use the common 4k zero page in DAX we need to have our PTE
> fault path look more like our PMD fault path where a PTE entry can be
> marked as dirty and writeable as it is first inserted, rather than waiting
> for a follo
On Tue, Jul 18, 2017 at 09:21:22AM -0400, Stefan Berger wrote:
> On 07/18/2017 08:30 AM, Vivek Goyal wrote:
> > On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
> > > On 07/18/2017 07:48 AM, Vivek Goyal wrote:
> > > > On Mon, Jul 17, 2017 at 04:50:2
On Tue, Jul 18, 2017 at 08:30:09AM -0400, Vivek Goyal wrote:
> On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
> > On 07/18/2017 07:48 AM, Vivek Goyal wrote:
> > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
> > > > On 07/17/20
On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
> On 07/18/2017 07:48 AM, Vivek Goyal wrote:
> > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
> > > On 07/17/2017 02:58 PM, Vivek Goyal wrote:
> > > > On Tue, Jul 11, 2017 at 11:05:1
On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
> On 07/17/2017 02:58 PM, Vivek Goyal wrote:
> > On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
> >
> > [..]
> > > +/*
> > > + * xattr_list_userns_rewrite - Rewrite list of
On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
[..]
> +/*
> + * xattr_list_userns_rewrite - Rewrite list of xattr names for user
> namespaces
> + * or determine needed size for attribute list
> + * in case size == 0
> + *
> +
On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
[..]
> @@ -301,14 +721,39 @@ ssize_t
> __vfs_getxattr(struct dentry *dentry, struct inode *inode, const char *name,
> void *value, size_t size)
> {
> - const struct xattr_handler *handler;
> + const struct xattr_
On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote:
> Quoting Vivek Goyal (vgo...@redhat.com):
> > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:
> > > This series of patches primary goal is to enable file capabilities
> > > in user names
On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:
> This series of patches primary goal is to enable file capabilities
> in user namespaces without affecting the file capabilities that are
> effective on the host. This is to prevent that any unprivileged user
> on the host maps his own
On Tue, Jun 20, 2017 at 08:42:45AM +0300, Amir Goldstein wrote:
> On Tue, Jun 20, 2017 at 12:34 AM, Eric W. Biederman
> wrote:
> > "Serge E. Hallyn" writes:
> >
> >> Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> >>> On 06/14/2017 11:05 PM, Serge E. Hallyn wrote:
> >>> >On Wed, Jun 14, 201
On Fri, Mar 10, 2017 at 03:58:20PM +0100, Thomas Gleixner wrote:
> On Fri, 10 Mar 2017, Vivek Goyal wrote:
> > I think we probably will have to initialize these global variables in
> > purgatory itself and that puts them in .data section and relocation
> > works.
> >
On Fri, Mar 10, 2017 at 02:57:38PM +0100, Thomas Gleixner wrote:
> On Fri, 10 Mar 2017, Mike Galbraith wrote:
> > On Fri, 2017-03-10 at 13:17 +0100, Thomas Gleixner wrote:
> > > The purgatory code defines global variables which are referenced via a
> > > symbol lookup in the kexec code (core and ar
On Mon, Feb 20, 2017 at 04:47:05PM -0800, James Bottomley wrote:
[..]
> +static int shiftfs_readlink(struct dentry *dentry, char __user *data,
> + int flags)
> +{
> + struct dentry *real = dentry->d_fsdata;
> + const struct inode_operations *iop = real->d_inode->i_o
On Tue, Feb 21, 2017 at 05:23:26PM -0500, James Bottomley wrote:
> On Tue, 2017-02-21 at 11:06 -0500, Vivek Goyal wrote:
> > On Mon, Feb 20, 2017 at 04:47:05PM -0800, James Bottomley wrote:
> >
> > [..]
> > > +static struct dentry *shiftfs_lookup(struct inode *di
On Mon, Feb 20, 2017 at 04:47:05PM -0800, James Bottomley wrote:
[..]
> +static struct dentry *shiftfs_lookup(struct inode *dir, struct dentry
> *dentry,
> + unsigned int flags)
> +{
> + struct dentry *real = dir->i_private, *new;
> + struct inode *reali =
On Sat, Feb 18, 2017 at 07:24:38PM -0800, James Bottomley wrote:
[..]
> > > Yes, this is a known characteristic of stacked filesystems. Is
> > > there some magic I don't know about that would make it easier to
> > > reflect hard links as aliases?
> >
> > I think overlayfs had the same issue in
On Fri, Feb 17, 2017 at 09:34:07AM -0800, James Bottomley wrote:
> On Fri, 2017-02-17 at 02:55 +, Al Viro wrote:
> > On Thu, Feb 16, 2017 at 07:56:30AM -0800, James Bottomley wrote:
> >
> > > > Hi James,
> > > >
> > > > Should it be "return d_splice_alias()" so that if we find an
> > > > ali
On Fri, Feb 17, 2017 at 05:51:18PM +, Al Viro wrote:
> On Fri, Feb 17, 2017 at 09:24:40AM -0800, James Bottomley wrote:
>
> > > What happens when somebody comes along and creates the damn thing on
> > > the underlying fs? _Not_ via your code, that is - using the
> > > underlying fs mounted
On Thu, Feb 16, 2017 at 07:51:58AM -0800, James Bottomley wrote:
[..]
> > Two levels of checks will simplify this a bit. Top level inode will
> > belong to the user namespace of caller and checks should pass. And
> > mounter's creds will have ownership over the real inode so no
> > additional n
On Sat, Feb 04, 2017 at 11:19:32AM -0800, James Bottomley wrote:
[..]
> +static struct dentry *shiftfs_lookup(struct inode *dir, struct dentry
> *dentry,
> + unsigned int flags)
> +{
> + struct dentry *real = dir->i_private, *new;
> + struct inode *reali =
On Tue, Feb 14, 2017 at 03:45:55PM -0800, James Bottomley wrote:
> On Tue, 2017-02-14 at 18:03 -0500, Vivek Goyal wrote:
> > On Sun, Feb 05, 2017 at 05:18:11PM -0800, James Bottomley wrote:
> >
> > [..]
> > > > shiftfs is going to miss out on overlayfs
On Sun, Feb 05, 2017 at 05:18:11PM -0800, James Bottomley wrote:
[..]
> > shiftfs is going to miss out on overlayfs bug fixes related to user
> > credentials differ from mounter credentials, like fd3220d ("ovl:
> > update S_ISGID when setting posix ACLs"). I am not sure that this
> > specific
k should be allowed to use reserved space on underlying filesystem
when doing overlay. It should not be overlay's job to prevent that?
May be it is just me
Vivek
> Signed-off-by: Konstantin Khlebnikov
> Fixes: 1175b6b8d963 ("ovl: do operations on underlying file system in
>
On Tue, Jan 10, 2017 at 11:06:47AM -0500, Vivek Goyal wrote:
> On Tue, Jan 10, 2017 at 02:26:48PM +0300, Konstantin Khlebnikov wrote:
> > If overlay was mounted by root then quota set for upper layer does not work
> > because overlay now always use mounter's creden
task have
> capability CAP_SYS_RESOURCE in root user namespace.
>
> Signed-off-by: Konstantin Khlebnikov
> Fixes: 1175b6b8d963 ("ovl: do operations on underlying file system in
> mounter's context")
> Cc: Vivek Goyal
> Cc: Miklos Szeredi
>
ot user namespace.
This makes sense to me. I too would like quota to take effect for
containers on overlay.
I will test it.
Vivek
>
> Signed-off-by: Konstantin Khlebnikov
> Fixes: 1175b6b8d963 ("ovl: do operations on underlying file system in
> mounter's context&
On Fri, Dec 23, 2016 at 12:43:07PM +0100, Nicholas Mc Guire wrote:
> Add the missing declarations of basic purgatory functions and variables
> used with kexec_purgatory_get_set_symbol() to allow a clean build.
>
> Fixes: commit 8fc5b4d4121c ("purgatory: core purgatory functionality")
> Signed-off-
On Fri, Oct 21, 2016 at 11:53:41AM +0300, Amir Goldstein wrote:
> On Thu, Oct 20, 2016 at 11:54 PM, Vivek Goyal wrote:
> > On Thu, Oct 20, 2016 at 04:46:30PM -0400, Vivek Goyal wrote:
> >
> > [..]
> >> > +static ssize_t ovl_read_iter(struct
On Fri, Oct 21, 2016 at 11:12:11AM +0200, Miklos Szeredi wrote:
> On Thu, Oct 20, 2016 at 04:54:08PM -0400, Vivek Goyal wrote:
> > On Thu, Oct 20, 2016 at 04:46:30PM -0400, Vivek Goyal wrote:
> >
> > [..]
> > > > +static ssize_t ovl_read_iter(struct
On Thu, Oct 20, 2016 at 04:46:30PM -0400, Vivek Goyal wrote:
[..]
> > +static ssize_t ovl_read_iter(struct kiocb *iocb, struct iov_iter *to)
> > +{
> > + struct file *file = iocb->ki_filp;
> > + bool isupper = OVL_TYPE_UPPER(ovl_path_type(file->f_path.dentry));
On Wed, Oct 12, 2016 at 03:33:26PM +0200, Miklos Szeredi wrote:
> This is a proof of concept patch to fix the following.
>
> /ovl is in overlay mount and /ovl/foo exists on the lower layer only.
>
> rofd = open("/ovl/foo", O_RDONLY);
> rwfd = open("/ovl/foo", O_WRONLY); /* this causes copy up *
On Thu, Oct 06, 2016 at 08:01:42PM +0200, Paolo Valente wrote:
>
> > Il giorno 06 ott 2016, alle ore 19:49, Vivek Goyal ha
> > scritto:
> >
> > On Thu, Oct 06, 2016 at 03:15:50PM +0200, Paolo Valente wrote:
> >
> > [..]
> >> Shaohua, I have ju
On Thu, Oct 06, 2016 at 03:15:50PM +0200, Paolo Valente wrote:
[..]
> Shaohua, I have just realized that I have unconsciously defended a
> wrong argument. Although all the facts that I have reported are
> evidently true, I have argued as if the question was: "do we need to
> throw away throttling
On Wed, Oct 05, 2016 at 02:37:00PM +0200, Paolo Valente wrote:
[..]
> Anyway, to avoid going on with trying speculations and arguments, let
> me retry with a practical proposal. BFQ is out there, free. Let's
> just test, measure and check whether we have already a solution to
> the problems you/
On Tue, Oct 04, 2016 at 11:56:16AM -0400, Tejun Heo wrote:
> Hello, Vivek.
>
> On Tue, Oct 04, 2016 at 09:28:05AM -0400, Vivek Goyal wrote:
> > On Mon, Oct 03, 2016 at 02:20:19PM -0700, Shaohua Li wrote:
> > > Hi,
> > >
> > > The background is we don&#
On Mon, Oct 03, 2016 at 02:20:19PM -0700, Shaohua Li wrote:
> Hi,
>
> The background is we don't have an ioscheduler for blk-mq yet, so we can't
> prioritize processes/cgroups.
So this is an interim solution till we have ioscheduler for blk-mq?
> This patch set tries to add basic arbitration
> b
On Tue, Sep 27, 2016 at 08:57:22AM -0400, Vivek Goyal wrote:
> On Mon, Sep 19, 2016 at 03:11:10PM -0600, Jens Axboe wrote:
> > On 09/19/2016 03:06 PM, Vivek Goyal wrote:
> > > On Tue, Sep 13, 2016 at 09:46:46AM -0400, Vivek Goyal wrote:
> > > >
> > > > H
On Mon, Sep 19, 2016 at 03:11:10PM -0600, Jens Axboe wrote:
> On 09/19/2016 03:06 PM, Vivek Goyal wrote:
> > On Tue, Sep 13, 2016 at 09:46:46AM -0400, Vivek Goyal wrote:
> > >
> > > Hi Hou Tao,
> > >
> > > [ CC Tejun and Thomas ]
> > >
On Tue, Sep 13, 2016 at 09:46:46AM -0400, Vivek Goyal wrote:
>
> Hi Hou Tao,
>
> [ CC Tejun and Thomas ]
>
> Thanks for the patch. I can reproduce it. I am wondering that why are you
> doing so many checks. Can't we just check if throttle group is empty or
> not.
tion to
wait. And when that timer expires, same process will repeat and we
will wait again and this can easily be an infinite loop.
Solve this issue by starting a new slice only if throttle gropup is
empty. If it is not empty, that means there should be an active slice
going on. Ideally it shoul
5
scontext=unconfined_u:unconfined_r:test_overlay_client_t:s0:c10,c20
tcontext=unconfined_u:object_r:test_overlay_files_ro_t:s0 tclass=file
permissive=0
Notice that now dev information points to "dm-0" device instead of "overlay"
device. This makes it clear that check failed on underlying in
On Wed, Jul 20, 2016 at 09:35:30AM +0100, Russell King - ARM Linux wrote:
> On Wed, Jul 20, 2016 at 01:45:42PM +1000, Balbir Singh wrote:
> > > IOW, if your kernel forced signature verification, you should not be
> > > able to do sig_enforce=0. If you kernel did not have
> > > CONFIG_MODULE_SIG_FOR
On Wed, Jul 20, 2016 at 01:45:42PM +1000, Balbir Singh wrote:
> >
> > Command line options are not signed. I thought idea behind secureboot
> > was to execute only trusted code and command line options don't enforce
> > you to execute unsigned code.
> >
> >>
> >> You can set
On Tue, Jul 19, 2016 at 01:47:28PM +0100, Mark Rutland wrote:
> On Tue, Jul 19, 2016 at 08:24:06AM -0400, Vivek Goyal wrote:
> > On Tue, Jul 19, 2016 at 11:52:00AM +0100, Mark Rutland wrote:
> > > Regardless, this extended syscall changes some underlying assumptions
> > >
On Tue, Jul 19, 2016 at 11:52:00AM +0100, Mark Rutland wrote:
> On Tue, Jul 19, 2016 at 08:55:56AM +0800, Dave Young wrote:
> > On 07/18/16 at 11:07am, Mark Rutland wrote:
> > > On Mon, Jul 18, 2016 at 10:30:24AM +0800, Dave Young wrote:
> > > > I do not think it is worth to add another syscall for
On Mon, Jul 18, 2016 at 09:26:29AM -0400, Vivek Goyal wrote:
> On Mon, Jul 18, 2016 at 10:46:04PM +1000, Balbir Singh wrote:
> > On Wed, 2016-07-13 at 14:22 -0400, Vivek Goyal wrote:
> > > On Wed, Jul 13, 2016 at 06:40:10PM +0100, Russell King - ARM Linux wrote:
> > >
On Mon, Jul 18, 2016 at 10:46:04PM +1000, Balbir Singh wrote:
> On Wed, 2016-07-13 at 14:22 -0400, Vivek Goyal wrote:
> > On Wed, Jul 13, 2016 at 06:40:10PM +0100, Russell King - ARM Linux wrote:
> > >
> > > On Wed, Jul 13, 2016 at 09:03:38AM -0400, Vivek Goyal wrote:
&
On Fri, Jul 15, 2016 at 09:31:02AM +0200, Arnd Bergmann wrote:
> On Thursday, July 14, 2016 10:44:14 PM CEST Thiago Jung Bauermann wrote:
> > Am Donnerstag, 14 Juli 2016, 10:29:11 schrieb Arnd Bergmann:
>
> > >
> > > Right, but the question remains whether this helps while you allow the
> > > boo
On Tue, Jul 12, 2016 at 10:42:01AM +0900, AKASHI Takahiro wrote:
[..]
> -SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
> +SYSCALL_DEFINE6(kexec_file_load, int, kernel_fd, int, initrd_fd,
> unsigned long, cmdline_len, const char __user *, cmdline_ptr,
> -
On Fri, Jul 15, 2016 at 09:49:25AM +0100, Russell King - ARM Linux wrote:
> On Wed, Jul 13, 2016 at 03:13:42PM +0200, Arnd Bergmann wrote:
> > On Wednesday, July 13, 2016 10:41:28 AM CEST Mark Rutland wrote:
> > > The big question is whether this is a realistic case on a secure boot
> > > system.
>
On Wed, Jul 13, 2016 at 06:40:10PM +0100, Russell King - ARM Linux wrote:
> On Wed, Jul 13, 2016 at 09:03:38AM -0400, Vivek Goyal wrote:
> > On Wed, Jul 13, 2016 at 09:26:39AM +0100, Russell King - ARM Linux wrote:
> > > Indeed - maybe Eric knows better, but I can't
e new creds to create file and then
revert back to old creds and release new creds.
Signed-off-by: Vivek Goyal
---
fs/overlayfs/copy_up.c| 15 +++
include/linux/lsm_hooks.h | 11 +++
include/linux/security.h | 6 ++
security/security.c | 8
4 files ch
On Wed, Jul 13, 2016 at 10:52:34AM -0400, Stephen Smalley wrote:
> On 07/13/2016 10:44 AM, Vivek Goyal wrote:
> > Provide a security hook to label new file correctly when a file is copied
> > up from lower layer to upper layer of a overlay/union mount.
> >
> > This ho
ption.
Signed-off-by: Vivek Goyal
---
security/selinux/hooks.c | 16
1 file changed, 16 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c82ee54..4fda548 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3290,6 +32
Right now selinux_determine_inode_label() works on security pointer of
current task. Soon I need this to work on a security pointer retrieved
from a set of creds. So start passing in a pointer and caller can decide
where to fetch security pointer from.
Signed-off-by: Vivek Goyal
---
security
label
of lower file and in case of context mount, overlay inode will have
the label from context= mount option.
Signed-off-by: Vivek Goyal
---
security/selinux/hooks.c | 21 +
1 file changed, 21 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
ht be renamed into upper/, and it might get
label based on work/ dir. So this hooks helps avoiding all these issues.
When a new file is created in upper/, it gets its label based on transition
rules. For the case of context mount, it gets the label from context=
option.
Any feedback is wel
module does not handle/manage the xattr, or a -errno
upon an error.
Signed-off-by: David Howells
Signed-off-by: Vivek Goyal
---
fs/overlayfs/copy_up.c| 7 +++
include/linux/lsm_hooks.h | 10 ++
include/linux/security.h | 6 ++
security/security.c | 8
4
ed-by: Dan Walsh
Signed-off-by: Vivek Goyal
---
fs/overlayfs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index 66f42f5..6d9d86e 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -140,7 +140,7 @
old creds and release new creds.
Signed-off-by: Vivek Goyal
---
fs/overlayfs/copy_up.c| 18 ++
include/linux/lsm_hooks.h | 11 +++
include/linux/security.h | 6 ++
security/security.c | 8
4 files changed, 43 insertions(+)
diff --git a/fs
d set of creds appropriately. Caller makes use of these new
creds for file creation.
Signed-off-by: Vivek Goyal
---
fs/overlayfs/dir.c| 10 ++
include/linux/lsm_hooks.h | 15 +++
include/linux/security.h | 12
security/security.c | 11 +
.
Dan Walsh noticed this when he did access(lowerfile, W_OK) and it returned
True (context mounts) but when he tried to actually write to file, it failed
as mounter did not have permission on lower file.
Reported-by: Dan Walsh
Signed-off-by: Vivek Goyal
---
fs/overlayfs/inode.c | 9 +++--
1
Calculate what would be the label of newly created file and set that secid
in the passed creds.
Context of the task which is actually creating file is retrieved from
set of creds passed in. (old->security).
Signed-off-by: Vivek Goyal
---
security/selinux/hooks.c | 22 ++
On Wed, Jul 13, 2016 at 09:41:39AM +1000, Stewart Smith wrote:
> Petr Tesarik writes:
> > On Tue, 12 Jul 2016 13:25:11 -0300
> > Thiago Jung Bauermann wrote:
> >
> >> Hi Eric,
> >>
> >> I'm trying to understand your concerns leading to your nack. I hope you
> >> don't mind expanding your though
On Wed, Jul 13, 2016 at 09:45:22AM +1000, Stewart Smith wrote:
> Vivek Goyal writes:
> > On Tue, Jul 12, 2016 at 10:58:09AM -0300, Thiago Jung Bauermann wrote:
> >> Hello Eric,
> >>
> >> Am Dienstag, 12 Juli 2016, 08:25:48 schrieb Eric W. Biede
On Wed, Jul 13, 2016 at 09:26:39AM +0100, Russell King - ARM Linux wrote:
> On Wed, Jul 13, 2016 at 05:55:33PM +1000, Stewart Smith wrote:
> > Russell King - ARM Linux writes:
> > > On Wed, Jul 13, 2016 at 02:59:51PM +1000, Stewart Smith wrote:
> > >> Russell King - ARM Linux writes:
> > >> > On
On Tue, Jul 12, 2016 at 04:02:46PM +0200, Arnd Bergmann wrote:
> On Tuesday, July 12, 2016 8:25:48 AM CEST Eric W. Biederman wrote:
> > AKASHI Takahiro writes:
> >
> > > Device tree blob must be passed to a second kernel on DTB-capable
> > > archs, like powerpc and arm64, but the current kernel i
On Tue, Jul 12, 2016 at 10:58:09AM -0300, Thiago Jung Bauermann wrote:
> Hello Eric,
>
> Am Dienstag, 12 Juli 2016, 08:25:48 schrieb Eric W. Biederman:
> > AKASHI Takahiro writes:
> > > Device tree blob must be passed to a second kernel on DTB-capable
> > > archs, like powerpc and arm64, but the
On Mon, Jul 11, 2016 at 11:31:47AM -0400, Stephen Smalley wrote:
[..]
> > +static inline int security_inode_copy_up_xattr(const char *name)
> > +{
> > + -EOPNOTSUPP;
>
> return?
Yes, this one I fixed it in my patches now. kbuild also flagged this.
Vivek
On Mon, Jul 11, 2016 at 11:31:47AM -0400, Stephen Smalley wrote:
> On 07/08/2016 12:19 PM, Vivek Goyal wrote:
> > Provide a security hook which is called when xattrs of a file are being
> > copied up. This hook is called once for each xattr and LSM can return 0
> > to access t
On Mon, Jul 11, 2016 at 11:24:26AM -0400, Stephen Smalley wrote:
> On 07/08/2016 12:19 PM, Vivek Goyal wrote:
> > Provide a security hook to label new file correctly when a file is copied
> > up from lower layer to upper layer of a overlay/union mount.
> >
> > This ho
to the wrong git tree, please drop us a note to
> help improve the system]
These patches should be applied on top of overlayfs-next branch of
miklos's vfs tree.
git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs.git overlayfs-next
>
> url:
> https://github.com/0day-
d set of creds appropriately. Caller makes use of these new
creds for file creation.
Signed-off-by: Vivek Goyal
---
fs/overlayfs/dir.c| 10 ++
include/linux/lsm_hooks.h | 15 +++
include/linux/security.h | 12
security/security.c | 11 +
Calculate what would be the label of newly created file and set that secid
in the passed creds.
Context of the task which is actually creating file is retrieved from
set of creds passed in. (old->security).
Signed-off-by: Vivek Goyal
---
security/selinux/hooks.c | 22 ++
.
If 0 or -EOPNOTSUPP is returned, xattr will be copied up, if 1 is returned,
xattr will not be copied up and if negative error code is returned, copy up
will be aborted.
Signed-off-by: David Howells
Signed-off-by: Vivek Goyal
---
fs/overlayfs/copy_up.c| 7 +++
include/linux/lsm_hooks.h
ption.
Signed-off-by: Vivek Goyal
---
security/selinux/hooks.c | 16
1 file changed, 16 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c82ee54..4fda548 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3290,6 +32
work/ dir. So this hooks helps avoiding all these issues.
When a new file is created in upper/, it gets its label based on transition
rules. For the case of context mount, it gets the label from context=
option.
Any feedback is welcome.
Thanks
Vivek
Vivek Goyal (7):
security, overlayf
Right now selinux_determine_inode_label() works on security pointer of
current task. Soon I need this to work on a security pointer retrieved
from a set of creds. So start passing in a pointer and caller can decide
where to fetch security pointer from.
Signed-off-by: Vivek Goyal
---
security
label
of lower file and in case of context mount, overlay inode will have
the label from context= mount option.
Signed-off-by: Vivek Goyal
---
security/selinux/hooks.c | 21 +
1 file changed, 21 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
old creds and release new creds.
Signed-off-by: Vivek Goyal
---
fs/overlayfs/copy_up.c| 18 ++
include/linux/lsm_hooks.h | 11 +++
include/linux/security.h | 6 ++
security/security.c | 8
4 files changed, 43 insertions(+)
diff --git a/fs
On Fri, Jul 08, 2016 at 08:45:34AM -0400, Vivek Goyal wrote:
[..]
> > >>> I don't much care for the way part of the credential manipulation
> > >>> is done in the caller and part is done the the security module.
> > >>> If the caller is
401 - 500 of 2045 matches
Mail list logo
