Re: [PATCH] netfilter: nf_conntrack: Batch cleanup

*net) > { > + LIST_HEAD(single); > + > + list_add(&net->exit_list, &single); > + nf_conntrack_cleanup_net_list(&single); > +} > + After adding net->exit_list to this single list,in setup_net we will re-add this net->exit_list to net_exit_list.

[PATCH] audit: don't check if kauditd is valid everytime

We only need to check if kauditd is valid after we start it, if kauditd is invalid, we will set kauditd_task to NULL. So next time, we will start kauditd again. It means if kauditd_task is not NULL,it must be valid. Signed-off-by: Gao feng --- kernel/audit.c | 12 ++-- 1 file changed

Re: [PATCH review 6/6] userns: Allow the userns root to mount tmpfs.

t; Signed-off-by: "Eric W. Biederman" > --- useful to me,thanks Eric & Serge. Acked-by: Gao feng > mm/shmem.c |2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/mm/shmem.c b/mm/shmem.c > index 5c90d84..197ca5e 100644 > --

[PATCH] userns: Allow the unprivileged users to mount mqueue fs

This patch allow the unprivileged user to mount mqueuefs in user ns. If two userns share the same ipcns,the files in mqueue fs should be seen in both these two userns. If the userns has its own ipcns,it has its own mqueue fs too. ipcns has already done this job well. Signed-off-by: Gao feng

Re: [PATCH] userns: Allow the unprivileged users to mount mqueue fs

On 2013/01/28 11:43, Eric W. Biederman wrote: > Gao feng writes: > >> This patch allow the unprivileged user to mount mqueuefs in >> user ns. >> >> If two userns share the same ipcns,the files in mqueue fs >> should be seen in both these two userns. >>

[PATCH] namespace:unmount pid_namespace's proc_mnt when copy_net_ns failed

er be released too. Signed-off-by: Gao feng --- kernel/nsproxy.c |5 - 1 files changed, 4 insertions(+), 1 deletions(-) diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index b576f7f..d536480 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c @@ -99,8 +99,11 @@ static struct ns

Re: [PATCH] namespace:unmount pid_namespace's proc_mnt when copy_net_ns failed

于 2012年11月02日 15:02, Eric W. Biederman 写道: > Gao feng writes: > >> we should call pid_ns_release_proc to unmount pid_namespace's >> proc_mnt when copy_net_ns failed in function create_new_namespaces. >> >> otherwise,the proc_mnt will not be freed and because

Re: [PATCH] namespace:unmount pid_namespace's proc_mnt when copy_net_ns failed

于 2012年11月02日 16:54, Eric W. Biederman 写道: > Gao feng writes: > >> 于 2012年11月02日 15:02, Eric W. Biederman 写道: >>> Gao feng writes: >>> >>>> we should call pid_ns_release_proc to unmount pid_namespace's >>>> proc_mnt when copy_net_ns fa

[PATCH 1/2] cgroup: use cgroup_addrm_files in cgroup_clear_directory

cgroup_rm_file only remove the first file. after remount, the cgroup subsystem will be unloaded with it's files left. use cgroup_addrm_files to remove all files of subsystem. Signed-off-by: Gao feng --- kernel/cgroup.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) diff --

[PATCH 2/2] cgroup: remove subsystem files when remounting cgroup

tem will panic when we try to access these files. this patch fix it. Signed-off-by: Gao feng --- kernel/cgroup.c | 86 ++ 1 files changed, 54 insertions(+), 32 deletions(-) diff --git a/kernel/cgroup.c b/kernel/cgroup.c index e5233b7..90429d

Re: [PATCH 2/2] cgroup: remove subsystem files when remounting cgroup

Hello Tejun on 2012/12/01 03:27, Tejun Heo wrote: > Hello, Gao. > > On Sat, Dec 01, 2012 at 12:21:29AM +0800, Gao feng wrote: >> cgroup_clear_directroy is called by cgroup_d_remove_dir >> and cgroup_remount. >> >> when we call cgroup_remount to remount the cgroup

[PATCH RESEND] cgroup: remove subsystem files when remounting cgroup

tem will panic when we try to access these files. this patch removes subsystems's files before rebind_subsystems, if rebind_subsystems failed, repopulate these removed files. With help from Tejun. Signed-off-by: Gao feng --- kernel/cgroup.c | 11 +-- 1 files changed, 9 ins

Re: kernel panic when running /etc/init.d/iptables restart

cc netdev Hi canqun: On 2012/12/24 13:51, canqun zhang wrote: > Hi Patrick， > If i start one lxc container instance, and then in the system there > will be two net namespaces,one is init_net namespace, the other is > created by lxc.If running "/etc/init.d/iptables restart",the system > will be pa

Re: kernel panic when running /etc/init.d/iptables restart

On 2012/12/25 15:25, canqun zhang wrote: > Hi Gao feng > The stack information is as follows. The kenel will panic because the > nf_ct_destroy is NULL. Thanks! It seems that nf_conntrack_l[3,4]proto_unregister doesn't make sure nf_conns of the proto being destroyed. If I

Re: kernel panic when running /etc/init.d/iptables restart

On 2012/12/25 15:25, canqun zhang wrote: > Hi Gao feng > The stack information is as follows. The kenel will panic because the > nf_ct_destroy is NULL. > > Reproduction: > (1) starting a lxc container > (2) iptables -t nat -A POSTROUTING -s 10.48.254.18 -o eth1 -j > MA

Re: [PATCH 09/11] pidns: Add setns support

于 2012年11月17日 00:35, Eric W. Biederman 写道: > From: "Eric W. Biederman" > > - Pid namespaces are designed to be inescapable so verify that the > passed in pid namespace is a child of the currently active > pid namespace or the currently active pid namespace itself. > > Allowing the currentl

[PATCH] pidns: remove the useless function is_container_init

since commit 1cdcbec1a3372c0c49c59d292e708fd07b509f18, is_container_init has no used for a long time. just remove it. Signed-off-by: Gao feng --- include/linux/sched.h |6 -- kernel/pid.c | 15 --- 2 files changed, 0 insertions(+), 21 deletions(-) diff --git a

Re: [PATCH 05/11] pidns: Make the pidns proc mount/umount logic obvious.

locking the entire world waiting for the unnecessary > rcu_barrier in deactivate_locked_super. > > In the process of making the code clear and obvious this fixes a bug > reported by Gao feng where we would leak a > mount of proc during clone(CLONE_NEWPID|CLONE_NEWNET) if copy_pid_ns > succeeded and co

Re: [PATCH review 0/6] mount namespace container enhancements

于 2012年11月19日 18:48, Eric W. Biederman 写道: > git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git > mntns-v53 I think you mean mntns-v73 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More major

Re: [netlink_lookup] BUG: unable to handle kernel NULL pointer dereference at (null)

On 06/13/2013 09:22 AM, Fengguang Wu wrote: > Greetings, > > I got the below dmesg and the first bad commit is > > commit da12c90e099789a63073fc82a19542ce54d4efb9 > Author: Gao feng > Date: Thu Jun 6 14:49:11 2013 +0800 > > netlink: Add compare function for ne

[PATCH] netlink: make compare exist all the time

should set compare after we allocate nl_table, and never reset it. make comapre exist all the time. Reported-by: Fengguang Wu Signed-off-by: Gao feng --- net/netlink/af_netlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netli

[PATCH 09/22] Audit: make audit_nlk_portid per user namesapce

After this patch, audit_nlk_port is per user namespace. Just like prev patch does,use audit_nlk_portid of init user namespace in kauditd_send_skb. Signed-off-by: Gao feng --- include/linux/user_namespace.h | 1 + kernel/audit.c | 11 ++- 2 files changed, 3 insertions

[PATCH 10/22] Audit: make audit_enabled per user namespace

This patch makes audit_enabled per user namespace, Right now,use audit_enabled of init user namespace to decide if audit is enabled no matter which user namespace we belong to. Signed-off-by: Gao feng --- include/linux/audit.h | 4 +++- include/linux/user_namespace.h | 1 + kernel

[PATCH 18/22] Audit: introduce new audit logging interface for user namespace

This interface audit_log_start_ns and audit_log_end_ns will be used for logging audit logs in user namespace. Signed-off-by: Gao feng --- include/linux/audit.h | 25 -- kernel/audit.c| 95 ++- 2 files changed, 78 insertions

[PATCH 21/22] Audit: send reply message to the auditd in proper user namespace

We can send the audit reply message to userspace auditd process which running in the same user namespace with the process which send the audit request message to kernel. Signed-off-by: Gao feng --- kernel/audit.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/kernel

[PATCH 20/22] Audit: Log audit config change in uninit user namespace

This patch allow to log audit config change in uninit user namespace. Signed-off-by: Gao feng --- kernel/audit.c | 13 - 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 2d81aac..84a882c 100644 --- a/kernel/audit.c +++ b/kernel

[PATCH 07/22] Audit: make audit_skb_hold_queue per user namespace

After this patch, ervery user namespace has one audit_skb_hold_queue. Since we havn't finish the preparations, only allow user to operate the skb hold queue of init user namespace. Signed-off-by: Gao feng --- include/linux/user_namespace.h | 1 + kernel/audit.c

[PATCH 22/22] Audit: Allow GET,SET,USER MSG operations in uninit user namespace

After this patch, user can set/get audit informations in container, and they can also send user msg to the audit subsystem. Signed-off-by: Gao feng --- kernel/audit.c | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 0b3fd8b

[PATCH 01/22] Audit: change type of audit_ever_enabled to bool

It's better to define audit_ever_enabled as bool. Signed-off-by: Gao feng --- kernel/audit.c | 2 +- kernel/audit.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 91e53d0..ad3084c 100644 --- a/kernel/audit.c +++ b/kernel/au

[PATCH 19/22] Audit: pass proper user namespace to audit_log_common_recv_msg

The audit log that generated in user namespace should be received by the auditd running in this user namespace. Signed-off-by: Gao feng --- kernel/audit.c | 26 ++ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index

[PATCH 03/22] Audit: make audit kernel side netlink sock per userns

many netns, the audit_sock is only allocated once. Signed-off-by: Gao feng --- include/linux/audit.h | 5 +++ include/linux/user_namespace.h | 9 kernel/audit.c | 100 +++-- kernel/user_namespace.c| 2 + 4 files

[Part1 PATCH 00/22] Add namespace support for audit

c resources of audit, and only make user audit message namespace aware. This patchset is based on linus' linux tree. You can pull this patchset from: git://github.com/gao-feng/auditns.git The following changes since commit 8177a9d79c0e942dcac3312f15585d0344d505a5 "lseek(fd, n,

[PATCH 13/22] Audit: only allow init user namespace to change rate limit

Because We want to avoid the DoS attack caused by other user namespace,so don't make audit_rate_limit per user namespace. And only init user namespace has rights to change it. Signed-off-by: Gao feng --- kernel/audit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/audi

[PATCH 17/22] Audit: make audit_backlog_wait per user namespace

Tasks are added to audit_backlog_wait when the audit_skb_queue of user namespace is full, so audit_backlog_wait should be per user namespace too. Signed-off-by: Gao feng --- include/linux/user_namespace.h | 1 + kernel/audit.c | 11 +-- 2 files changed, 6 insertions

[PATCH 16/22] Audit: make kauditd_wait per user namespace

kauditd_task is added to the wait queue kaudit_wait when there is no audit message being generated in user namespace, so the kaudit_wait should be per user namespace too. Signed-off-by: Gao feng --- include/linux/user_namespace.h | 1 + kernel/audit.c | 36

[PATCH 12/22] Audit: make audit_initialized per user namespace

audit_initialized is used to identify if the audit related resources have been initialized. it should be per user namespace too. Signed-off-by: Gao feng --- include/linux/user_namespace.h | 1 + kernel/audit.c | 21 +++-- 2 files changed, 12 insertions(+), 10

[PATCH 05/22] Audit: implement audit self-defined compare function

After this patch, audit netlink sockets can communicate with each other when they belong to the same user namespace. Signed-off-by: Gao feng --- kernel/audit.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 11b56b7..a411b02 100644 --- a/kernel

[PATCH 04/22] netlink: Add compare function for netlink_table

mpare" for netlink_table, we can decide if the netlink sockets can communicate with each other through this netlink_table self-defined compare function. The behavior isn't changed if we don't provide the compare function for netlink_table. Signed-off-by: Gao feng --- include/linux/netli

[PATCH 02/22] Audit: remove duplicate comments

Remove it. Signed-off-by: Gao feng --- kernel/audit.c | 7 --- 1 file changed, 7 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index ad3084c..843e7a2 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1067,13 +1067,6 @@ static void wait_for_auditd(unsigned long sleep_time

[PATCH 14/22] Audit: only allow init user namespace to change audit_failure

Setting audit_failure to AUDIT_FAIL_PANIC may cause system panic. We should disallow uninit user namesapce to change it. Signed-off-by: Gao feng --- kernel/audit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 306231d..79a8b8e 100644 --- a/kernel

[PATCH 15/22] Audit: only allow init user namespace to change backlog_limit

Prevent un-init user namespace from generating lots of skb. Signed-off-by: Gao feng --- kernel/audit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 79a8b8e..297ac6e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -303,6 +303,9 @@ static int

[PATCH 08/22] Audit: make kauditd_task per user namespace

This patch makes kauditd_task per user namespace, Since right now we only allow user in init user namesapce to send audit netlink message to kernel, so actually the kauditd_task belongs to other user namespace will still not run. Signed-off-by: Gao feng --- include/linux/audit.h | 1

[PATCH 06/22] Audit: make audit_skb_queue per user namespace

After this patch, ervery user namespace has one audit_skb_queue. Since we havn't finish the preparations, only allow user to operate the skb queue of init user namespace. Signed-off-by: Gao feng --- include/linux/audit.h | 4 include/linux/user_namespace.h | 2 ++ kernel/au

[PATCH 11/22] Audit: make audit_ever_enabled per user namespace

: Gao feng --- include/linux/user_namespace.h | 1 + kernel/audit.c | 7 +++ kernel/auditsc.c | 5 - 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h index 9972f0f..a2c0a79 100644 --- a

Re: [Part1 PATCH 00/22] Add namespace support for audit

On 06/20/2013 04:51 AM, Eric Paris wrote: > On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote: >> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote: >>> This patchset is first part of namespace support for audit. >>> in this patchset, the mainly res

Re: [Part1 PATCH 00/22] Add namespace support for audit

On 06/20/2013 11:02 AM, Gao feng wrote: > If we don't tie audit to user namespace, there is still one problem. One more problem. some audit messages are generated by some net subsystem such as netfilter. If we don't tie audit to user namespace, we have no idea where these audit messa

Re: [Part1 PATCH 00/22] Add namespace support for audit

On 06/20/2013 05:03 AM, Eric W. Biederman wrote: > Eric Paris writes: > >> On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote: >>> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote: >>>> This patchset is first part of namespace support for audit.

Re: [Part1 PATCH 00/22] Add namespace support for audit

On 06/20/2013 09:02 PM, Eric Paris wrote: > On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote: >> On 06/20/2013 04:51 AM, Eric Paris wrote: >>> On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote: >>>> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote

Re: [Part1 PATCH 00/22] Add namespace support for audit

On 06/21/2013 06:01 AM, Eric W. Biederman wrote: > Gao feng writes: > >> On 06/20/2013 11:02 AM, Gao feng wrote: >>> If we don't tie audit to user namespace, there is still one problem. >> >> One more problem. some audit messages are generated by some net

Re: v3.10-rc7 oops soon after boot

iable timing > during init script processing. > Hi George, Please try the patch below, I think this bug is introduced by me :( Thanks! >From f12c9178b881e0b21efd37b10a33059fd0544a40 Mon Sep 17 00:00:00 2001 From: Gao feng Date: Mon, 24 Jun 2013 17:04:02 +0800 Subject: [PATCH] netfilter: ipt_

Re: v3.10-rc7 oops soon after boot

t; in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > >From f22cb6a9a52497364605c25930ba470ee180ca58 Mon Sep 17 00:00:00 2001 From: Gao feng Date: Mon, 24 Jun 2

Re: v3.10-rc7 oops soon after boot

On 06/25/2013 06:17 AM, George Spelvin wrote: >>> Reported-by: Borislav Petkov > >> This should be: >> >> Reported-by: George Spelvin >> >> I only connected the dots... > > Well, you did a whole lot more than me! I just lobbed a "d'oh, it > crashes" into the seething ocean of lkml. (Admittedl

Re: v3.10-rc7 oops soon after boot

On 06/24/2013 07:34 PM, Pablo Neira Ayuso wrote: > On Mon, Jun 24, 2013 at 05:52:08PM +0800, Gao feng wrote: >> On 06/24/2013 05:41 PM, George Spelvin wrote: >>>> Please try the patch below, >>>> I think this bug is introduced by me :( >>>> >>&g

Re: [PATCH RFC 00/48] Add namespace support for audit

On 06/07/2013 06:47 AM, Serge Hallyn wrote: > Quoting Serge Hallyn (serge.hal...@ubuntu.com): >> Quoting Gao feng (gaof...@cn.fujitsu.com): >>> On 05/07/2013 10:20 AM, Gao feng wrote: >>>> This patchset try to add namespace support for audit. >>>>

Re: [PATCH RFC 00/48] Add namespace support for audit

On 06/11/2013 05:24 AM, Serge E. Hallyn wrote: > Quoting Gao feng (gaof...@cn.fujitsu.com): >> On 06/07/2013 06:47 AM, Serge Hallyn wrote: >>> Quoting Serge Hallyn (serge.hal...@ubuntu.com): >>>> Quoting Gao feng (gaof...@cn.fujitsu.com): >>>>> On 05/

Re: [Part1 PATCH 00/22] Add namespace support for audit

On 06/21/2013 11:48 AM, Gao feng wrote: > On 06/20/2013 09:02 PM, Eric Paris wrote: >> On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote: >>> On 06/20/2013 04:51 AM, Eric Paris wrote: >>>> On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote: >>>>

Re: [PATCH review 05/16] xfs: Update xfs_ioctl_setattr to handle projids in any user namespace

On 02/19/2013 09:55 AM, Dave Chinner wrote: > On Sun, Feb 17, 2013 at 05:10:58PM -0800, Eric W. Biederman wrote: >> From: "Eric W. Biederman" >> >> - Convert the userspace value in fa->fsx_projid into a kprojid and >> store it in the variable projid. >> - Verify that xfs can store the projid aft

Re: [PATCH 9/9] netfilter: use ns_printk in iptable context

On 07/29/2013 10:31 AM, Rui Xiang wrote: > To containerise iptables log, use ns_printk > to report individual logs to container as > getting syslog_ns from skb->dev->nd_net->user_ns. > > Signed-off-by: Rui Xiang > --- > include/net/netfilter/xt_log.h | 6 +- > net/netfilter/xt_LOG.c

Re: [PATCH 2/9] syslog_ns: add syslog_ns into user_namespace

On 07/29/2013 05:46 PM, Gu Zheng wrote: > Hi Rui, > > On 07/29/2013 10:31 AM, Rui Xiang wrote: > >> Add a syslog_ns pointer to user_namespace, and make >> syslog_ns per user_namespace, not global. >> >> Since syslog_ns is assigned to user_ns, we can have >> full capabilities in new user_ns to cre

Re: [PATCH 7/9] syslog_ns: implement function for creating syslog ns

On 07/29/2013 10:31 AM, Rui Xiang wrote: > Add create_syslog_ns function to create a new ns. We > must create a user_ns before create a new syslog ns. > And then tie the new syslog_ns to current user_ns > instead of original syslog_ns which comes from > parent user_ns. > > Add a new syslog flag SY

Re: [PATCH review 05/16] xfs: Update xfs_ioctl_setattr to handle projids in any user namespace

On 07/29/2013 03:51 PM, Dave Chinner wrote: > [ cc xfs list ] > > On Mon, Jul 29, 2013 at 03:17:06PM +0800, Gao feng wrote: >> On 02/19/2013 09:55 AM, Dave Chinner wrote: >>> On Sun, Feb 17, 2013 at 05:10:58PM -0800, Eric W. Biederman wrote: >>>> From: "Er

Re: [PATCH review 05/16] xfs: Update xfs_ioctl_setattr to handle projids in any user namespace

On 07/30/2013 11:57 AM, Dave Chinner wrote: > On Tue, Jul 30, 2013 at 11:15:50AM +0800, Gao feng wrote: >> On 07/29/2013 03:51 PM, Dave Chinner wrote: >>> http://oss.sgi.com/pipermail/xfs/2013-July/028467.html >>> >>> Basically, the discussion we are current

Re: [PATCH 4/9] syslog_ns: make syslog handling per namespace

On 07/29/2013 10:31 AM, Rui Xiang wrote: > This patch makes syslog buf and other fields per > namespace. > > Here use ns->log_buf(log_buf_len, logbuf_lock, > log_first_seq, logbuf_lock, and so on) fields > instead of global ones to handle syslog. > > Syslog interfaces such as /dev/kmsg, /proc/kms

Re: [PATCH 4/9] syslog_ns: make syslog handling per namespace

On 08/01/2013 11:10 AM, Rui Xiang wrote: > On 2013/8/1 9:36, Gao feng wrote: >> On 07/29/2013 10:31 AM, Rui Xiang wrote: >>> This patch makes syslog buf and other fields per >>> namespace. >>> >>> Here use ns->log_buf(log_buf_len, logbuf_lock, &

Re: [PATCH v3 00/11] Add namespace support for syslog

On 08/07/2013 03:55 PM, Eric W. Biederman wrote: > > Since this still has not been addressed. I am going to repeat Andrews > objection again. > > Isn't there a better way to get iptables information out than to use > syslog. I did not have time to follow up on that but it did appear that > some

Re: [PATCH 1/1] kernel/pid_namespace.c: Fixing a lack of cleanup (Probable resources leak).

On 2013/03/05 11:26, Eric W. Biederman wrote: > From: Raphael S.Carvalho > > Starting point: create_pid_namespace() > > Suppose create_pid_cachep() was executed sucessfully, thus: > pcache was allocated by kmalloc(). > cachep received a cache created by kmem_cache_create(). > and pcache->list wa

Re: For review: user_namespaces(7) man page

On 04/30/2013 03:45 AM, Rob Landley wrote: > On 04/29/2013 02:45:45 AM, richard -rw- weinberger wrote: >> On Thu, Mar 21, 2013 at 4:52 PM, Michael Kerrisk (man-pages) >> wrote: >> > Hi Serge, >> > >> > On Fri, Mar 15, 2013 at 4:38 PM, Serge Hallyn >> > wrote: >> >> Hi, >> >> >> >> you mention th

[PATCH RFC 41/48] Audit: lsm: translate audit_log_start to audit_log_start_ns

Now we can log audit message in the user namespace which current task belongs to. Signed-off-by: Gao feng --- security/lsm_audit.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 8d8d97d..90fcd08 100644 --- a/security

[PATCH RFC 42/48] Audit: selinux: translate audit_log_start to audit_log_start_ns

Now we can log audit message in the user namespace which current task belongs to. Signed-off-by: Gao feng --- security/selinux/hooks.c | 14 ++ security/selinux/ss/services.c | 8 +--- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/security/selinux

[PATCH RFC 27/48] Audit: make tree_list per user namespace

tree_list is used to list the directory releated audit rules, it should be per user namespace. Signed-off-by: Gao feng --- include/linux/user_namespace.h | 1 + kernel/audit.c | 2 ++ kernel/audit.h | 4 ++-- kernel/audit_tree.c| 22

[PATCH RFC 15/48] Audit: allow to send netlink message to auditd in uninit user namespace

We can allow audit kernel side netlink sock of uninit user namespace to send message to the right auditd. Signed-off-by: Gao feng --- kernel/audit.c | 28 ++-- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 18cf5ce

[PATCH RFC 47/48] Audit: make audit_log user namespace awared

This patch makes audit_log user namespace awared. Signed-off-by: Gao feng --- include/linux/audit.h | 12 ++-- kernel/audit.c | 11 ++- net/core/dev.c | 12 +++- security/selinux/avc.c | 3 ++- security/selinux/hooks.c

[PATCH RFC 48/48] Audit: allow root user of un-init user namespace to set audit

This patch reduce the permission check of setting audit. We already finish the user namespace support for audit, now we can allow the root user of uninit userns to set and use the audit subsystem. Signed-off-by: Gao feng --- kernel/audit.c | 9 ++--- 1 file changed, 2 insertions(+), 7

[PATCH RFC 44/48] Audit: rename audit_log_start_ns to audit_log_start

Now all of the audit caller have been namespace aware, we can rename audit_log_start_ns to audit_log_start, we just need a namespace awared audit interface. Signed-off-by: Gao feng --- drivers/tty/tty_audit.c | 4 +- include/linux/audit.h | 28 --- include/net

[PATCH RFC 31/48] Audit: pass proper user namespace to audit_filter_syscall

We should use the proper user namespace to filter the syscall. Signed-off-by: Gao feng --- kernel/auditsc.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 29c3e05..5401d21 100644 --- a/kernel/auditsc.c +++ b/kernel

[PATCH RFC 46/48] Audit: rename audit_enabled_ns to audit_enabled

Now,all the callers of audit_enabled is user namespace awared, we can rename audit_enable_ns to audit_enabled. Signed-off-by: Gao feng --- drivers/tty/tty_audit.c | 4 ++-- include/linux/audit.h| 6 ++ include/net/xfrm.h | 2 +- kernel/audit_watch.c | 2

[PATCH RFC 06/48] Audit: make kauditd_task per user namespace

This patch makes kauditd_task per user namespace, Since right now we only allow user in init user namesapce to send audit netlink message to kernel, so actually the kauditd_task belongs to other user namespace will still not run. Signed-off-by: Gao feng --- include/linux/user_namespace.h | 1

[PATCH RFC 43/48] Audit: xfrm: translate audit_log_start to audit_log_start_ns

Now we can log audit message in the user namespace which current task belongs to. Signed-off-by: Gao feng --- include/net/xfrm.h | 7 --- net/xfrm/xfrm_policy.c | 4 ++-- net/xfrm/xfrm_state.c | 14 +++--- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a

[PATCH RFC 33/48] Audit: Log filter related audit message to proper user namespace

Now, we can log filter related audit message to the user namespace which the task belongs to. Signed-off-by: Gao feng --- kernel/auditfilter.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index f2afe9b..8af148b 100644

[PATCH RFC 45/48] Audit: user audit_enabled_ns to replace audit_enabled

We should use the proper user namespace's audit.enabled, not the init_user_ns's audit.enabled. Signed-off-by: Gao feng --- drivers/tty/tty_audit.c | 4 ++-- kernel/auditsc.c| 2 +- net/core/dev.c | 2 +- security/apparmor/lib.c | 2 +- 4 files changed, 5 insert

[PATCH RFC 38/48] Audit: tty: translate audit_log_start to audit_log_start_ns

We can log audit message in the user namespace which current task belongs to. Signed-off-by: Gao feng --- drivers/tty/tty_audit.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/tty/tty_audit.c b/drivers/tty/tty_audit.c index 6953dc8..b20ef14 100644 --- a

[PATCH RFC 39/48] Audit: netlabel: translate audit_log_start to audit_log_start_ns

Now we can log audit message in the user namespace which current task belongs to. Signed-off-by: Gao feng --- net/ipv4/cipso_ipv4.c | 4 ++-- net/netlabel/netlabel_domainhash.c | 4 ++-- net/netlabel/netlabel_unlabeled.c | 8 net/netlabel/netlabel_user.c | 8

[PATCH RFC 37/48] Audit: translate audit_log_start to audit_log_start_ns

This patch translates the call of interface audit_log_start to the namespace aware interface audit_log_start_ns. After we finish translation, we can rename audit_log_start_ns to audit_log_start. Signed-off-by: Gao feng --- kernel/audit.c | 11 ++- 1 file changed, 6 insertions(+), 5

[PATCH RFC 35/48] Audit: Log task related audit message to proper user namespace

Now, we can log task related audit message to the user namespace which the task belongs to. Signed-off-by: Gao feng --- kernel/auditsc.c | 114 +++ 1 file changed, 64 insertions(+), 50 deletions(-) diff --git a/kernel/auditsc.c b/kernel

[PATCH RFC 32/48] Audit: pass proper user namespace to audit_filter_inode_name

We should use the right inode_hash list to filter the task. Signed-off-by: Gao feng --- kernel/audit.h | 5 +++-- kernel/audit_watch.c | 3 ++- kernel/auditsc.c | 14 -- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index

[PATCH RFC 36/48] Audit: Log watch related audit message to proper user namespace

Now, we can log watch related audit message to the user namespace which the task belongs to. Signed-off-by: Gao feng --- kernel/audit_watch.c | 19 --- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index 6be4cbe

[PATCH RFC 05/48] Audit: make audit_skb_hold_queue per user namespace

After this patch, ervery user namespace has one audit_skb_hold_queue. Since we havn't finish the preparations, only allow user to operate the skb hold queue of init user namespace. Signed-off-by: Gao feng --- include/linux/user_namespace.h | 1 + kernel/audit.c

[PATCH RFC 40/48] Audit: ima: translate audit_log_start to audit_log_start_ns

Now we can log audit message in the user namespace which current task belongs to. Signed-off-by: Gao feng --- security/integrity/ima/ima_api.c| 7 --- security/integrity/ima/ima_audit.c | 11 +++ security/integrity/ima/ima_policy.c | 5 +++-- 3 files changed, 14 insertions

[PATCH RFC 34/48] Log audit tree related message in proper user namespace

Now, we can log audit tree related message in the right user namespace. Signed-off-by: Gao feng --- kernel/audit.h | 4 ++-- kernel/audit_tree.c | 27 ++- kernel/auditsc.c| 6 -- 3 files changed, 20 insertions(+), 17 deletions(-) diff --git a/kernel

[PATCH RFC 30/48] Audit: reply audit filter list request to proper user namespace

We should reply the audit filter list request to the proper user namespace. Signed-off-by: Gao feng --- kernel/audit.c | 3 ++- kernel/audit.h | 1 + kernel/auditfilter.c | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index

[PATCH RFC 26/48] Audit: make audit_inode_hash per user namespace

audit_inode_hash is used to hash inode related audit rules, and the audit rule should be per user namespace. So we should make audit_inode_hash per user namespace too. Signed-off-by: Gao feng --- include/linux/user_namespace.h | 2 ++ kernel/audit.c | 13 + kernel

[PATCH RFC 25/48] Audit: send reply message to the auditd in proper user namespace

We can send the audit reply message to userspace auditd process which running in the same user namespace with the process which send the audit request message to kernel. Signed-off-by: Gao feng --- kernel/audit.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/kernel

[PATCH RFC 29/48] Audit: make audit_krule belongs to user namespace

Since update_lsm_rules will update all audit_krule, we still have to make audit_rules_list global. this patch add a field user_ns to struct audit_krule to point out which user namespace this audit rule belongs to. Signed-off-by: Gao feng --- include/linux/audit.h | 1 + kernel/auditfilter.c

[PATCH RFC 28/48] Audit: make audit filter list per user namespace

This patch just make the audit filter list per user namespace. Signed-off-by: Gao feng --- include/linux/user_namespace.h | 2 ++ kernel/audit.c | 4 kernel/auditfilter.c | 23 +++ kernel/auditsc.c | 12 +--- kernel

[PATCH RFC 23/48] Audit: netfilter: Log xt table replace behavior in proper user namespace

Log the audit message in the user namespace which current task belongs to. Signed-off-by: Gao feng --- net/netfilter/x_tables.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 8b03028..ba90a1b 100644 --- a

[PATCH RFC 13/48] Audit: only allow init user namespace to change audit_rate_limit

Because We want to avoid the DoS attack caused by other user namespace,so don't make audit_rate_limit per user namespace. And only init user namespace has rights to change it. Signed-off-by: Gao feng --- kernel/audit.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/audi

[PATCH RFC 20/48] Audit: introduce new audit logging interface for user namespace

This interface audit_log_start_ns and audit_log_end_ns will be used for logging audit logs in user namespace. Signed-off-by: Gao feng --- include/linux/audit.h | 25 -- kernel/audit.c| 95 ++- 2 files changed, 78 insertions

[PATCH RFC 17/48] Audit: make kauditd_wait per user namespace

kauditd_task is added to the wait queue kaudit_wait when there is no audit message being generated in user namespace, so the kaudit_wait should be per user namespace too. Signed-off-by: Gao feng --- include/linux/user_namespace.h | 1 + kernel/audit.c | 8 2 files

[PATCH RFC 24/48] Audit: xt_AUDIT: Log audit message in proper user namespace

we can log audit message in the user namespace which netfilter xt_AUDIT rules belongs to. Signed-off-by: Gao feng --- net/netfilter/xt_AUDIT.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c index 3228d7f..b1ffba2

[PATCH RFC 03/48] Audit: implement audit self-defined compare function

After this patch, audit netlink sockets can communicate with each other when they belong to the same user namespace. Signed-off-by: Gao feng --- kernel/audit.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 766dcbf..3ae8793 100644 --- a/kernel

  1   2   3   >