Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-08 Thread Casey Schaufler
On 7/8/2016 12:06 AM, Miklos Szeredi wrote: > On Thu, Jul 7, 2016 at 8:35 PM, Vivek Goyal wrote: >> On Wed, Jul 06, 2016 at 04:58:37PM +0200, Miklos Szeredi wrote: >>> On Wed, Jul 6, 2016 at 12:54 PM, Vivek Goyal wrote: On Wed, Jul 06, 2016 at

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-08 Thread Casey Schaufler
On 7/8/2016 12:06 AM, Miklos Szeredi wrote: > On Thu, Jul 7, 2016 at 8:35 PM, Vivek Goyal wrote: >> On Wed, Jul 06, 2016 at 04:58:37PM +0200, Miklos Szeredi wrote: >>> On Wed, Jul 6, 2016 at 12:54 PM, Vivek Goyal wrote: On Wed, Jul 06, 2016 at 06:36:49AM +0200, Miklos Szeredi wrote: >

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-08 Thread Miklos Szeredi
On Thu, Jul 7, 2016 at 8:35 PM, Vivek Goyal wrote: > On Wed, Jul 06, 2016 at 04:58:37PM +0200, Miklos Szeredi wrote: >> On Wed, Jul 6, 2016 at 12:54 PM, Vivek Goyal wrote: >> > On Wed, Jul 06, 2016 at 06:36:49AM +0200, Miklos Szeredi wrote: >> >> On Tue, Jul

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-08 Thread Miklos Szeredi
On Thu, Jul 7, 2016 at 8:35 PM, Vivek Goyal wrote: > On Wed, Jul 06, 2016 at 04:58:37PM +0200, Miklos Szeredi wrote: >> On Wed, Jul 6, 2016 at 12:54 PM, Vivek Goyal wrote: >> > On Wed, Jul 06, 2016 at 06:36:49AM +0200, Miklos Szeredi wrote: >> >> On Tue, Jul 5, 2016 at 11:16 PM, Vivek Goyal

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-07 Thread Vivek Goyal
On Wed, Jul 06, 2016 at 04:58:37PM +0200, Miklos Szeredi wrote: > On Wed, Jul 6, 2016 at 12:54 PM, Vivek Goyal wrote: > > On Wed, Jul 06, 2016 at 06:36:49AM +0200, Miklos Szeredi wrote: > >> On Tue, Jul 5, 2016 at 11:16 PM, Vivek Goyal wrote: > >> > On Tue,

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-07 Thread Vivek Goyal
On Wed, Jul 06, 2016 at 04:58:37PM +0200, Miklos Szeredi wrote: > On Wed, Jul 6, 2016 at 12:54 PM, Vivek Goyal wrote: > > On Wed, Jul 06, 2016 at 06:36:49AM +0200, Miklos Szeredi wrote: > >> On Tue, Jul 5, 2016 at 11:16 PM, Vivek Goyal wrote: > >> > On Tue, Jul 05, 2016 at 01:29:39PM -0700,

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-06 Thread Miklos Szeredi
On Wed, Jul 6, 2016 at 12:54 PM, Vivek Goyal wrote: > On Wed, Jul 06, 2016 at 06:36:49AM +0200, Miklos Szeredi wrote: >> On Tue, Jul 5, 2016 at 11:16 PM, Vivek Goyal wrote: >> > On Tue, Jul 05, 2016 at 01:29:39PM -0700, Casey Schaufler wrote: >> >> On

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-06 Thread Miklos Szeredi
On Wed, Jul 6, 2016 at 12:54 PM, Vivek Goyal wrote: > On Wed, Jul 06, 2016 at 06:36:49AM +0200, Miklos Szeredi wrote: >> On Tue, Jul 5, 2016 at 11:16 PM, Vivek Goyal wrote: >> > On Tue, Jul 05, 2016 at 01:29:39PM -0700, Casey Schaufler wrote: >> >> On 7/5/2016 8:50 AM, Vivek Goyal wrote: >> >> >

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-06 Thread Vivek Goyal
On Wed, Jul 06, 2016 at 06:36:49AM +0200, Miklos Szeredi wrote: > On Tue, Jul 5, 2016 at 11:16 PM, Vivek Goyal wrote: > > On Tue, Jul 05, 2016 at 01:29:39PM -0700, Casey Schaufler wrote: > >> On 7/5/2016 8:50 AM, Vivek Goyal wrote: > >> > ovl_getxattr() currently uses

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-06 Thread Vivek Goyal
On Wed, Jul 06, 2016 at 06:36:49AM +0200, Miklos Szeredi wrote: > On Tue, Jul 5, 2016 at 11:16 PM, Vivek Goyal wrote: > > On Tue, Jul 05, 2016 at 01:29:39PM -0700, Casey Schaufler wrote: > >> On 7/5/2016 8:50 AM, Vivek Goyal wrote: > >> > ovl_getxattr() currently uses vfs_getxattr() on realinode.

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-05 Thread Miklos Szeredi
On Tue, Jul 5, 2016 at 11:16 PM, Vivek Goyal wrote: > On Tue, Jul 05, 2016 at 01:29:39PM -0700, Casey Schaufler wrote: >> On 7/5/2016 8:50 AM, Vivek Goyal wrote: >> > ovl_getxattr() currently uses vfs_getxattr() on realinode. This fails >> > if mounter does not have DAC/MAC

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-05 Thread Miklos Szeredi
On Tue, Jul 5, 2016 at 11:16 PM, Vivek Goyal wrote: > On Tue, Jul 05, 2016 at 01:29:39PM -0700, Casey Schaufler wrote: >> On 7/5/2016 8:50 AM, Vivek Goyal wrote: >> > ovl_getxattr() currently uses vfs_getxattr() on realinode. This fails >> > if mounter does not have DAC/MAC permission to access

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-05 Thread Vivek Goyal
On Tue, Jul 05, 2016 at 01:29:39PM -0700, Casey Schaufler wrote: > On 7/5/2016 8:50 AM, Vivek Goyal wrote: > > ovl_getxattr() currently uses vfs_getxattr() on realinode. This fails > > if mounter does not have DAC/MAC permission to access getxattr. > > > > Specifically this becomes a problem when

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-05 Thread Vivek Goyal
On Tue, Jul 05, 2016 at 01:29:39PM -0700, Casey Schaufler wrote: > On 7/5/2016 8:50 AM, Vivek Goyal wrote: > > ovl_getxattr() currently uses vfs_getxattr() on realinode. This fails > > if mounter does not have DAC/MAC permission to access getxattr. > > > > Specifically this becomes a problem when

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-05 Thread Casey Schaufler
On 7/5/2016 8:50 AM, Vivek Goyal wrote: > ovl_getxattr() currently uses vfs_getxattr() on realinode. This fails > if mounter does not have DAC/MAC permission to access getxattr. > > Specifically this becomes a problem when selinux is trying to initialize > overlay inode and does

Re: [PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-05 Thread Casey Schaufler
On 7/5/2016 8:50 AM, Vivek Goyal wrote: > ovl_getxattr() currently uses vfs_getxattr() on realinode. This fails > if mounter does not have DAC/MAC permission to access getxattr. > > Specifically this becomes a problem when selinux is trying to initialize > overlay inode and does

[PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-05 Thread Vivek Goyal
ovl_getxattr() currently uses vfs_getxattr() on realinode. This fails if mounter does not have DAC/MAC permission to access getxattr. Specifically this becomes a problem when selinux is trying to initialize overlay inode and does ->getxattr(overlay_inode). A task might trigger initialization of

[PATCH 5/5] overlayfs: Use vfs_getxattr_noperm() for real inode

2016-07-05 Thread Vivek Goyal
ovl_getxattr() currently uses vfs_getxattr() on realinode. This fails if mounter does not have DAC/MAC permission to access getxattr. Specifically this becomes a problem when selinux is trying to initialize overlay inode and does ->getxattr(overlay_inode). A task might trigger initialization of