On Tue, 2017-07-25 at 22:00 -0500, Serge E. Hallyn wrote:
> On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote:
> > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
> > > Which brings us to the semantic question of would it be nice to have
> > > stacked IMA/EVM on the same file.
On Tue, 2017-07-25 at 22:00 -0500, Serge E. Hallyn wrote:
> On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote:
> > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
> > > Which brings us to the semantic question of would it be nice to have
> > > stacked IMA/EVM on the same file.
On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote:
> On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
> > Which brings us to the semantic question of would it be nice to have
> > stacked IMA/EVM on the same file.
> >
> > I really don't think we do. I think allowing multiple
On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote:
> On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
> > Which brings us to the semantic question of would it be nice to have
> > stacked IMA/EVM on the same file.
> >
> > I really don't think we do. I think allowing multiple
Quoting Eric W. Biederman (ebied...@xmission.com):
> Stefan Berger writes:
>
> > On 07/18/2017 03:01 AM, James Morris wrote:
> >> On Thu, 13 Jul 2017, Stefan Berger wrote:
> >>
> >>> A file shared by 2 containers, one mapping root to uid=1000, the other
> >>> mapping
Quoting Eric W. Biederman (ebied...@xmission.com):
> Stefan Berger writes:
>
> > On 07/18/2017 03:01 AM, James Morris wrote:
> >> On Thu, 13 Jul 2017, Stefan Berger wrote:
> >>
> >>> A file shared by 2 containers, one mapping root to uid=1000, the other
> >>> mapping
> >>> root to uid=2000,
On 07/18/2017 10:57 AM, Vivek Goyal wrote:
On Tue, Jul 18, 2017 at 09:21:22AM -0400, Stefan Berger wrote:
On 07/18/2017 08:30 AM, Vivek Goyal wrote:
On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
On 07/18/2017 07:48 AM, Vivek Goyal wrote:
On Mon, Jul 17, 2017 at 04:50:22PM
On 07/18/2017 10:57 AM, Vivek Goyal wrote:
On Tue, Jul 18, 2017 at 09:21:22AM -0400, Stefan Berger wrote:
On 07/18/2017 08:30 AM, Vivek Goyal wrote:
On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
On 07/18/2017 07:48 AM, Vivek Goyal wrote:
On Mon, Jul 17, 2017 at 04:50:22PM
On Tue, Jul 18, 2017 at 09:21:22AM -0400, Stefan Berger wrote:
> On 07/18/2017 08:30 AM, Vivek Goyal wrote:
> > On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
> > > On 07/18/2017 07:48 AM, Vivek Goyal wrote:
> > > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
> >
On Tue, Jul 18, 2017 at 09:21:22AM -0400, Stefan Berger wrote:
> On 07/18/2017 08:30 AM, Vivek Goyal wrote:
> > On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
> > > On 07/18/2017 07:48 AM, Vivek Goyal wrote:
> > > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
> >
Vivek Goyal writes:
> On Tue, Jul 18, 2017 at 08:30:09AM -0400, Vivek Goyal wrote:
>> On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
>> > On 07/18/2017 07:48 AM, Vivek Goyal wrote:
>> > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
>> > > >
Vivek Goyal writes:
> On Tue, Jul 18, 2017 at 08:30:09AM -0400, Vivek Goyal wrote:
>> On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
>> > On 07/18/2017 07:48 AM, Vivek Goyal wrote:
>> > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
>> > > > On 07/17/2017 02:58
Stefan Berger writes:
> On 07/18/2017 03:01 AM, James Morris wrote:
>> On Thu, 13 Jul 2017, Stefan Berger wrote:
>>
>>> A file shared by 2 containers, one mapping root to uid=1000, the other
>>> mapping
>>> root to uid=2000, will show these two xattrs on the host
Stefan Berger writes:
> On 07/18/2017 03:01 AM, James Morris wrote:
>> On Thu, 13 Jul 2017, Stefan Berger wrote:
>>
>>> A file shared by 2 containers, one mapping root to uid=1000, the other
>>> mapping
>>> root to uid=2000, will show these two xattrs on the host (init_user_ns) once
>>> these
On 07/18/2017 08:30 AM, Vivek Goyal wrote:
On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
On 07/18/2017 07:48 AM, Vivek Goyal wrote:
On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
On 07/17/2017 02:58 PM, Vivek Goyal wrote:
On Tue, Jul 11, 2017 at 11:05:11AM
On 07/18/2017 08:30 AM, Vivek Goyal wrote:
On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
On 07/18/2017 07:48 AM, Vivek Goyal wrote:
On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
On 07/17/2017 02:58 PM, Vivek Goyal wrote:
On Tue, Jul 11, 2017 at 11:05:11AM
On Tue, Jul 18, 2017 at 08:30:09AM -0400, Vivek Goyal wrote:
> On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
> > On 07/18/2017 07:48 AM, Vivek Goyal wrote:
> > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
> > > > On 07/17/2017 02:58 PM, Vivek Goyal wrote:
> > >
On Tue, Jul 18, 2017 at 08:30:09AM -0400, Vivek Goyal wrote:
> On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
> > On 07/18/2017 07:48 AM, Vivek Goyal wrote:
> > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
> > > > On 07/17/2017 02:58 PM, Vivek Goyal wrote:
> > >
On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
> On 07/18/2017 07:48 AM, Vivek Goyal wrote:
> > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
> > > On 07/17/2017 02:58 PM, Vivek Goyal wrote:
> > > > On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
> >
On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote:
> On 07/18/2017 07:48 AM, Vivek Goyal wrote:
> > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
> > > On 07/17/2017 02:58 PM, Vivek Goyal wrote:
> > > > On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
> >
On 07/18/2017 03:01 AM, James Morris wrote:
On Thu, 13 Jul 2017, Stefan Berger wrote:
A file shared by 2 containers, one mapping root to uid=1000, the other mapping
root to uid=2000, will show these two xattrs on the host (init_user_ns) once
these containers set xattrs on that file.
I may be
On 07/18/2017 03:01 AM, James Morris wrote:
On Thu, 13 Jul 2017, Stefan Berger wrote:
A file shared by 2 containers, one mapping root to uid=1000, the other mapping
root to uid=2000, will show these two xattrs on the host (init_user_ns) once
these containers set xattrs on that file.
I may be
On 07/18/2017 07:48 AM, Vivek Goyal wrote:
On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
On 07/17/2017 02:58 PM, Vivek Goyal wrote:
On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
[..]
+/*
+ * xattr_list_userns_rewrite - Rewrite list of xattr names for user
On 07/18/2017 07:48 AM, Vivek Goyal wrote:
On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
On 07/17/2017 02:58 PM, Vivek Goyal wrote:
On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
[..]
+/*
+ * xattr_list_userns_rewrite - Rewrite list of xattr names for user
On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
> On 07/17/2017 02:58 PM, Vivek Goyal wrote:
> > On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
> >
> > [..]
> > > +/*
> > > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user
> > > namespaces
> > >
On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote:
> On 07/17/2017 02:58 PM, Vivek Goyal wrote:
> > On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
> >
> > [..]
> > > +/*
> > > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user
> > > namespaces
> > >
On Thu, 13 Jul 2017, Stefan Berger wrote:
> A file shared by 2 containers, one mapping root to uid=1000, the other mapping
> root to uid=2000, will show these two xattrs on the host (init_user_ns) once
> these containers set xattrs on that file.
I may be missing something here, but what happens
On Thu, 13 Jul 2017, Stefan Berger wrote:
> A file shared by 2 containers, one mapping root to uid=1000, the other mapping
> root to uid=2000, will show these two xattrs on the host (init_user_ns) once
> these containers set xattrs on that file.
I may be missing something here, but what happens
On 07/17/2017 02:58 PM, Vivek Goyal wrote:
On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
[..]
+/*
+ * xattr_list_userns_rewrite - Rewrite list of xattr names for user namespaces
+ * or determine needed size for attribute list
+ *
On 07/17/2017 02:58 PM, Vivek Goyal wrote:
On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
[..]
+/*
+ * xattr_list_userns_rewrite - Rewrite list of xattr names for user namespaces
+ * or determine needed size for attribute list
+ *
On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
[..]
> +/*
> + * xattr_list_userns_rewrite - Rewrite list of xattr names for user
> namespaces
> + * or determine needed size for attribute list
> + * in case size == 0
> + *
>
On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote:
[..]
> +/*
> + * xattr_list_userns_rewrite - Rewrite list of xattr names for user
> namespaces
> + * or determine needed size for attribute list
> + * in case size == 0
> + *
>
On Fri, 2017-07-14 at 19:02 -0500, Eric W. Biederman wrote:
> Mimi Zohar writes:
>
> > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
> >> "Serge E. Hallyn" writes:
> >>
> >> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> >> >>
On Fri, 2017-07-14 at 19:02 -0500, Eric W. Biederman wrote:
> Mimi Zohar writes:
>
> > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
> >> "Serge E. Hallyn" writes:
> >>
> >> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> >> >> On 07/14/2017 09:34 AM, Serge E. Hallyn
On 07/14/2017 07:41 PM, Eric W. Biederman wrote:
Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes:
From: Stefan Berger
This patch enables security.capability in user namespaces but also
takes a more general approach to enabling extended attributes
On 07/14/2017 07:41 PM, Eric W. Biederman wrote:
Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes:
From: Stefan Berger
This patch enables security.capability in user namespaces but also
takes a more general approach to enabling extended attributes in user
namespaces.
The
Mimi Zohar writes:
> On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
>> "Serge E. Hallyn" writes:
>>
>> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
>> >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
>> >> >Quoting Stefan
Mimi Zohar writes:
> On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
>> "Serge E. Hallyn" writes:
>>
>> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
>> >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
>> >> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
>> >> >>On
James Bottomley writes:
> On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote:
>> On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote:
>> >
>> > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote:
>> > >
>> > > The concern is with a shared
James Bottomley writes:
> On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote:
>> On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote:
>> >
>> > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote:
>> > >
>> > > The concern is with a shared filesystems. In that case, for IMA
>> > > it
Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes:
> From: Stefan Berger
>
> This patch enables security.capability in user namespaces but also
> takes a more general approach to enabling extended attributes in user
> namespaces.
>
> The following rules
Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes:
> From: Stefan Berger
>
> This patch enables security.capability in user namespaces but also
> takes a more general approach to enabling extended attributes in user
> namespaces.
>
> The following rules describe the approach using
Theodore Ts'o writes:
> On Fri, Jul 14, 2017 at 01:39:59PM -0700, James Bottomley wrote:
>> but why? That's partly the point of all of this: some security.
>> attributes can't be written by container root without some supervision
>> (the capability ones are the hugely problematic
On Fri, 2017-07-14 at 13:39 -0700, James Bottomley wrote:
> On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote:
> > On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote:
> > >
> > > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote:
> > > >
> > > > The concern is with a shared
Theodore Ts'o writes:
> On Fri, Jul 14, 2017 at 01:39:59PM -0700, James Bottomley wrote:
>> but why? That's partly the point of all of this: some security.
>> attributes can't be written by container root without some supervision
>> (the capability ones are the hugely problematic ones from this
On Fri, 2017-07-14 at 13:39 -0700, James Bottomley wrote:
> On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote:
> > On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote:
> > >
> > > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote:
> > > >
> > > > The concern is with a shared
On Fri, Jul 14, 2017 at 01:39:59PM -0700, James Bottomley wrote:
> but why? That's partly the point of all of this: some security.
> attributes can't be written by container root without some supervision
> (the capability ones are the hugely problematic ones from this point of
> view), but for
On Fri, Jul 14, 2017 at 01:39:59PM -0700, James Bottomley wrote:
> but why? That's partly the point of all of this: some security.
> attributes can't be written by container root without some supervision
> (the capability ones are the hugely problematic ones from this point of
> view), but for
On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote:
> On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote:
> >
> > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote:
> > >
> > > The concern is with a shared filesystems. In that case, for IMA
> > > it would make sense to support a native
On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote:
> On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote:
> >
> > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote:
> > >
> > > The concern is with a shared filesystems. In that case, for IMA
> > > it would make sense to support a native
On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote:
> On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote:
> > The concern is with a shared filesystems. In that case, for IMA it
> > would make sense to support a native and a namespace xattr. If due
> > to xattr space limitations we have to
On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote:
> On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote:
> > The concern is with a shared filesystems. In that case, for IMA it
> > would make sense to support a native and a namespace xattr. If due
> > to xattr space limitations we have to
On Fri, 2017-07-14 at 15:29 -0400, Theodore Ts'o wrote:
> On Fri, Jul 14, 2017 at 02:48:10PM -0400, Mimi Zohar wrote:
> >
> > If I'm understanding the discussion correctly, this isn't an issue for
> > layered copy on write filesystems, as each fs layer could have it's
> > own set of xattrs. The
On Fri, 2017-07-14 at 15:29 -0400, Theodore Ts'o wrote:
> On Fri, Jul 14, 2017 at 02:48:10PM -0400, Mimi Zohar wrote:
> >
> > If I'm understanding the discussion correctly, this isn't an issue for
> > layered copy on write filesystems, as each fs layer could have it's
> > own set of xattrs. The
On Fri, Jul 14, 2017 at 02:48:10PM -0400, Mimi Zohar wrote:
>
> If I'm understanding the discussion correctly, this isn't an issue for
> layered copy on write filesystems, as each fs layer could have it's
> own set of xattrs. The underlying and layered xattrs should be able
> to co-exist. Use
On Fri, Jul 14, 2017 at 02:48:10PM -0400, Mimi Zohar wrote:
>
> If I'm understanding the discussion correctly, this isn't an issue for
> layered copy on write filesystems, as each fs layer could have it's
> own set of xattrs. The underlying and layered xattrs should be able
> to co-exist. Use
On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
> "Serge E. Hallyn" writes:
>
> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
> >> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> >> >>On 07/13/2017
On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
> "Serge E. Hallyn" writes:
>
> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
> >> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> >> >>On 07/13/2017 08:38 PM, Eric W.
On 07/14/2017 01:36 PM, Eric W. Biederman wrote:
Stefan Berger writes:
On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
Stefan Berger
On 07/14/2017 01:36 PM, Eric W. Biederman wrote:
Stefan Berger writes:
On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
Stefan Berger writes:
On 07/13/2017 01:49 PM, Eric W. Biederman
Stefan Berger writes:
> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
>> Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
>>> On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
Stefan Berger writes:
> On 07/13/2017 01:49
Stefan Berger writes:
> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
>> Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
>>> On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
Stefan Berger writes:
> On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
>
>> My big question
On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote:
> The concern is with a shared filesystems. In that case, for IMA it
> would make sense to support a native and a namespace xattr. If due
> to xattr space limitations we have to limit the number of xattrs,
> then we should limit it to two - a
On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote:
> The concern is with a shared filesystems. In that case, for IMA it
> would make sense to support a native and a namespace xattr. If due
> to xattr space limitations we have to limit the number of xattrs,
> then we should limit it to two - a
On Fri, 2017-07-14 at 12:35 -0500, Serge E. Hallyn wrote:
> Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> > On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
> > >Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> > >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
> > >>>Stefan Berger
On Fri, 2017-07-14 at 12:35 -0500, Serge E. Hallyn wrote:
> Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> > On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
> > >Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> > >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
> > >>>Stefan Berger
"Serge E. Hallyn" writes:
> Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
>> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
>> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
>> >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
>> >>>Stefan Berger
"Serge E. Hallyn" writes:
> Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
>> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
>> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
>> >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
>> >>>Stefan Berger writes:
>> >>>
>> On 07/13/2017
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
> >>>Stefan Berger writes:
> >>>
> On 07/13/2017 01:49
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
> >>>Stefan Berger writes:
> >>>
> On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
Stefan Berger writes:
On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
My big question right now is can you
On 07/14/2017 09:34 AM, Serge E. Hallyn wrote:
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
Stefan Berger writes:
On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
My big question right now is can you implement Ted's suggested
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
> >Stefan Berger writes:
> >
> >>On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
> >>
> >>>My big question right now is can you implement Ted's suggested
>
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
> >Stefan Berger writes:
> >
> >>On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
> >>
> >>>My big question right now is can you implement Ted's suggested
> >>>restriction. Only one
On 07/14/2017 08:04 AM, Eric W. Biederman wrote:
Stefan Berger writes:
On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
Stefan Berger writes:
On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
My big question right now is can you
On 07/14/2017 08:04 AM, Eric W. Biederman wrote:
Stefan Berger writes:
On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
Stefan Berger writes:
On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
My big question right now is can you implement Ted's suggested
restriction. Only one
Stefan Berger writes:
> On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
>> Stefan Berger writes:
>>
>>> On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
>>>
My big question right now is can you implement Ted's suggested
Stefan Berger writes:
> On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
>> Stefan Berger writes:
>>
>>> On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
>>>
My big question right now is can you implement Ted's suggested
restriction. Only one security.foo or secuirty.foo@...
On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
Stefan Berger writes:
On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
My big question right now is can you implement Ted's suggested
restriction. Only one security.foo or secuirty.foo@... attribute ?
We need to
On 07/13/2017 08:38 PM, Eric W. Biederman wrote:
Stefan Berger writes:
On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
My big question right now is can you implement Ted's suggested
restriction. Only one security.foo or secuirty.foo@... attribute ?
We need to raw-list the xattrs and do
Stefan Berger writes:
> On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
>
> > My big question right now is can you implement Ted's suggested
> > restriction. Only one security.foo or secuirty.foo@... attribute ?
> We need to raw-list the xattrs and do the check
Stefan Berger writes:
> On 07/13/2017 01:49 PM, Eric W. Biederman wrote:
>
> > My big question right now is can you implement Ted's suggested
> > restriction. Only one security.foo or secuirty.foo@... attribute ?
> We need to raw-list the xattrs and do the check before writing them. I am
>
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> For virtualizing the xattrs on the 'value' side I was looking for
> whether there's something like a 'wrapper' structure around the
> actual value of the xattr so that that wrapper could be extended to
> support different values at different
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> For virtualizing the xattrs on the 'value' side I was looking for
> whether there's something like a 'wrapper' structure around the
> actual value of the xattr so that that wrapper could be extended to
> support different values at different
"Serge E. Hallyn" writes:
> Quoting Eric W. Biederman (ebied...@xmission.com):
>> Stefan Berger writes:
>>
>> > On 07/13/2017 01:14 PM, Eric W. Biederman wrote:
>> >> Theodore Ts'o writes:
>> >>
>> >>> On Thu, Jul 13, 2017 at
"Serge E. Hallyn" writes:
> Quoting Eric W. Biederman (ebied...@xmission.com):
>> Stefan Berger writes:
>>
>> > On 07/13/2017 01:14 PM, Eric W. Biederman wrote:
>> >> Theodore Ts'o writes:
>> >>
>> >>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote:
>> The concise
Quoting Eric W. Biederman (ebied...@xmission.com):
> Stefan Berger writes:
> If you don't care about the ownership of the files, and read only is
> acceptable, and you still don't want to give these executables
> capabilities in the initial user namespace. What you
Quoting Eric W. Biederman (ebied...@xmission.com):
> Stefan Berger writes:
> If you don't care about the ownership of the files, and read only is
> acceptable, and you still don't want to give these executables
> capabilities in the initial user namespace. What you can do is
> make everything
Quoting Theodore Ts'o (ty...@mit.edu):
> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote:
> > The concise summary:
> >
> > Today we have the xattr security.capable that holds a set of
> > capabilities that an application gains when executed. AKA setuid root exec
> > without
Quoting Theodore Ts'o (ty...@mit.edu):
> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote:
> > The concise summary:
> >
> > Today we have the xattr security.capable that holds a set of
> > capabilities that an application gains when executed. AKA setuid root exec
> > without
Quoting Eric W. Biederman (ebied...@xmission.com):
> Stefan Berger writes:
>
> > On 07/13/2017 01:14 PM, Eric W. Biederman wrote:
> >> Theodore Ts'o writes:
> >>
> >>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote:
> The
Quoting Eric W. Biederman (ebied...@xmission.com):
> Stefan Berger writes:
>
> > On 07/13/2017 01:14 PM, Eric W. Biederman wrote:
> >> Theodore Ts'o writes:
> >>
> >>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote:
> The concise summary:
>
> Today we have the
Quoting Theodore Ts'o (ty...@mit.edu):
> On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote:
> > > Can you define what 'scalable' means for you in this context?
> > > From what I can see sharing a filesystem between multiple containers
> > > doesn't 'scale well' for virtualizing the
Quoting Theodore Ts'o (ty...@mit.edu):
> On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote:
> > > Can you define what 'scalable' means for you in this context?
> > > From what I can see sharing a filesystem between multiple containers
> > > doesn't 'scale well' for virtualizing the
On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote:
> > Can you define what 'scalable' means for you in this context?
> > From what I can see sharing a filesystem between multiple containers
> > doesn't 'scale well' for virtualizing the xattrs primarily because of
> > size
On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote:
> > Can you define what 'scalable' means for you in this context?
> > From what I can see sharing a filesystem between multiple containers
> > doesn't 'scale well' for virtualizing the xattrs primarily because of
> > size
Stefan Berger writes:
> On 07/13/2017 01:14 PM, Eric W. Biederman wrote:
>> Theodore Ts'o writes:
>>
>>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote:
The concise summary:
Today we have the xattr security.capable
Stefan Berger writes:
> On 07/13/2017 01:14 PM, Eric W. Biederman wrote:
>> Theodore Ts'o writes:
>>
>>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote:
The concise summary:
Today we have the xattr security.capable that holds a set of
capabilities that an
Stefan Berger writes:
> On 07/13/2017 12:40 PM, Theodore Ts'o wrote:
>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote:
>>> The concise summary:
>>>
>>> Today we have the xattr security.capable that holds a set of
>>> capabilities that an
Stefan Berger writes:
> On 07/13/2017 12:40 PM, Theodore Ts'o wrote:
>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote:
>>> The concise summary:
>>>
>>> Today we have the xattr security.capable that holds a set of
>>> capabilities that an application gains when executed. AKA
1 - 100 of 150 matches
Mail list logo