Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Tue, 2017-07-25 at 22:00 -0500, Serge E. Hallyn wrote: > On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote: > > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > > > Which brings us to the semantic question of would it be nice to have > > > stacked IMA/EVM on the same file.

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Tue, 2017-07-25 at 22:00 -0500, Serge E. Hallyn wrote: > On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote: > > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > > > Which brings us to the semantic question of would it be nice to have > > > stacked IMA/EVM on the same file.

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote: > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > > Which brings us to the semantic question of would it be nice to have > > stacked IMA/EVM on the same file. > > > > I really don't think we do. I think allowing multiple

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote: > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > > Which brings us to the semantic question of would it be nice to have > > stacked IMA/EVM on the same file. > > > > I really don't think we do. I think allowing multiple

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Eric W. Biederman (ebied...@xmission.com): > Stefan Berger writes: > > > On 07/18/2017 03:01 AM, James Morris wrote: > >> On Thu, 13 Jul 2017, Stefan Berger wrote: > >> > >>> A file shared by 2 containers, one mapping root to uid=1000, the other > >>> mapping

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Eric W. Biederman (ebied...@xmission.com): > Stefan Berger writes: > > > On 07/18/2017 03:01 AM, James Morris wrote: > >> On Thu, 13 Jul 2017, Stefan Berger wrote: > >> > >>> A file shared by 2 containers, one mapping root to uid=1000, the other > >>> mapping > >>> root to uid=2000,

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/18/2017 10:57 AM, Vivek Goyal wrote: On Tue, Jul 18, 2017 at 09:21:22AM -0400, Stefan Berger wrote: On 07/18/2017 08:30 AM, Vivek Goyal wrote: On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: On 07/18/2017 07:48 AM, Vivek Goyal wrote: On Mon, Jul 17, 2017 at 04:50:22PM

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/18/2017 10:57 AM, Vivek Goyal wrote: On Tue, Jul 18, 2017 at 09:21:22AM -0400, Stefan Berger wrote: On 07/18/2017 08:30 AM, Vivek Goyal wrote: On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: On 07/18/2017 07:48 AM, Vivek Goyal wrote: On Mon, Jul 17, 2017 at 04:50:22PM

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Tue, Jul 18, 2017 at 09:21:22AM -0400, Stefan Berger wrote: > On 07/18/2017 08:30 AM, Vivek Goyal wrote: > > On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: > > > On 07/18/2017 07:48 AM, Vivek Goyal wrote: > > > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Tue, Jul 18, 2017 at 09:21:22AM -0400, Stefan Berger wrote: > On 07/18/2017 08:30 AM, Vivek Goyal wrote: > > On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: > > > On 07/18/2017 07:48 AM, Vivek Goyal wrote: > > > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Vivek Goyal writes: > On Tue, Jul 18, 2017 at 08:30:09AM -0400, Vivek Goyal wrote: >> On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: >> > On 07/18/2017 07:48 AM, Vivek Goyal wrote: >> > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: >> > > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Vivek Goyal writes: > On Tue, Jul 18, 2017 at 08:30:09AM -0400, Vivek Goyal wrote: >> On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: >> > On 07/18/2017 07:48 AM, Vivek Goyal wrote: >> > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: >> > > > On 07/17/2017 02:58

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/18/2017 03:01 AM, James Morris wrote: >> On Thu, 13 Jul 2017, Stefan Berger wrote: >> >>> A file shared by 2 containers, one mapping root to uid=1000, the other >>> mapping >>> root to uid=2000, will show these two xattrs on the host

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/18/2017 03:01 AM, James Morris wrote: >> On Thu, 13 Jul 2017, Stefan Berger wrote: >> >>> A file shared by 2 containers, one mapping root to uid=1000, the other >>> mapping >>> root to uid=2000, will show these two xattrs on the host (init_user_ns) once >>> these

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/18/2017 08:30 AM, Vivek Goyal wrote: On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: On 07/18/2017 07:48 AM, Vivek Goyal wrote: On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: On 07/17/2017 02:58 PM, Vivek Goyal wrote: On Tue, Jul 11, 2017 at 11:05:11AM

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/18/2017 08:30 AM, Vivek Goyal wrote: On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: On 07/18/2017 07:48 AM, Vivek Goyal wrote: On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: On 07/17/2017 02:58 PM, Vivek Goyal wrote: On Tue, Jul 11, 2017 at 11:05:11AM

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Tue, Jul 18, 2017 at 08:30:09AM -0400, Vivek Goyal wrote: > On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: > > On 07/18/2017 07:48 AM, Vivek Goyal wrote: > > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > > > > On 07/17/2017 02:58 PM, Vivek Goyal wrote: > > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Tue, Jul 18, 2017 at 08:30:09AM -0400, Vivek Goyal wrote: > On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: > > On 07/18/2017 07:48 AM, Vivek Goyal wrote: > > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > > > > On 07/17/2017 02:58 PM, Vivek Goyal wrote: > > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: > On 07/18/2017 07:48 AM, Vivek Goyal wrote: > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > > > On 07/17/2017 02:58 PM, Vivek Goyal wrote: > > > > On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Tue, Jul 18, 2017 at 08:05:18AM -0400, Stefan Berger wrote: > On 07/18/2017 07:48 AM, Vivek Goyal wrote: > > On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > > > On 07/17/2017 02:58 PM, Vivek Goyal wrote: > > > > On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/18/2017 03:01 AM, James Morris wrote: On Thu, 13 Jul 2017, Stefan Berger wrote: A file shared by 2 containers, one mapping root to uid=1000, the other mapping root to uid=2000, will show these two xattrs on the host (init_user_ns) once these containers set xattrs on that file. I may be

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/18/2017 03:01 AM, James Morris wrote: On Thu, 13 Jul 2017, Stefan Berger wrote: A file shared by 2 containers, one mapping root to uid=1000, the other mapping root to uid=2000, will show these two xattrs on the host (init_user_ns) once these containers set xattrs on that file. I may be

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/18/2017 07:48 AM, Vivek Goyal wrote: On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: On 07/17/2017 02:58 PM, Vivek Goyal wrote: On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] +/* + * xattr_list_userns_rewrite - Rewrite list of xattr names for user

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/18/2017 07:48 AM, Vivek Goyal wrote: On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: On 07/17/2017 02:58 PM, Vivek Goyal wrote: On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] +/* + * xattr_list_userns_rewrite - Rewrite list of xattr names for user

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > On 07/17/2017 02:58 PM, Vivek Goyal wrote: > > On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: > > > > [..] > > > +/* > > > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user > > > namespaces > > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Mon, Jul 17, 2017 at 04:50:22PM -0400, Stefan Berger wrote: > On 07/17/2017 02:58 PM, Vivek Goyal wrote: > > On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: > > > > [..] > > > +/* > > > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user > > > namespaces > > >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Thu, 13 Jul 2017, Stefan Berger wrote: > A file shared by 2 containers, one mapping root to uid=1000, the other mapping > root to uid=2000, will show these two xattrs on the host (init_user_ns) once > these containers set xattrs on that file. I may be missing something here, but what happens

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Thu, 13 Jul 2017, Stefan Berger wrote: > A file shared by 2 containers, one mapping root to uid=1000, the other mapping > root to uid=2000, will show these two xattrs on the host (init_user_ns) once > these containers set xattrs on that file. I may be missing something here, but what happens

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/17/2017 02:58 PM, Vivek Goyal wrote: On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] +/* + * xattr_list_userns_rewrite - Rewrite list of xattr names for user namespaces + * or determine needed size for attribute list + *

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/17/2017 02:58 PM, Vivek Goyal wrote: On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] +/* + * xattr_list_userns_rewrite - Rewrite list of xattr names for user namespaces + * or determine needed size for attribute list + *

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] > +/* > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user > namespaces > + * or determine needed size for attribute list > + * in case size == 0 > + * >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Tue, Jul 11, 2017 at 11:05:11AM -0400, Stefan Berger wrote: [..] > +/* > + * xattr_list_userns_rewrite - Rewrite list of xattr names for user > namespaces > + * or determine needed size for attribute list > + * in case size == 0 > + * >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 19:02 -0500, Eric W. Biederman wrote: > Mimi Zohar writes: > > > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > >> "Serge E. Hallyn" writes: > >> > >> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >> >>

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 19:02 -0500, Eric W. Biederman wrote: > Mimi Zohar writes: > > > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > >> "Serge E. Hallyn" writes: > >> > >> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >> >> On 07/14/2017 09:34 AM, Serge E. Hallyn

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/14/2017 07:41 PM, Eric W. Biederman wrote: Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: From: Stefan Berger This patch enables security.capability in user namespaces but also takes a more general approach to enabling extended attributes

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/14/2017 07:41 PM, Eric W. Biederman wrote: Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: From: Stefan Berger This patch enables security.capability in user namespaces but also takes a more general approach to enabling extended attributes in user namespaces. The

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Mimi Zohar writes: > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: >> "Serge E. Hallyn" writes: >> >> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: >> >> >Quoting Stefan

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Mimi Zohar writes: > On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: >> "Serge E. Hallyn" writes: >> >> > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: >> >> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> >> >>On

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

James Bottomley writes: > On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote: >> On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: >> > >> > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: >> > > >> > > The concern is with a shared

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

James Bottomley writes: > On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote: >> On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: >> > >> > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: >> > > >> > > The concern is with a shared filesystems.  In that case, for IMA >> > > it

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: > From: Stefan Berger > > This patch enables security.capability in user namespaces but also > takes a more general approach to enabling extended attributes in user > namespaces. > > The following rules

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger <"Stefan Bergerstefanb"@linux.vnet.ibm.com> writes: > From: Stefan Berger > > This patch enables security.capability in user namespaces but also > takes a more general approach to enabling extended attributes in user > namespaces. > > The following rules describe the approach using

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Theodore Ts'o writes: > On Fri, Jul 14, 2017 at 01:39:59PM -0700, James Bottomley wrote: >> but why?  That's partly the point of all of this: some security. >> attributes can't be written by container root without some supervision >> (the capability ones are the hugely problematic

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 13:39 -0700, James Bottomley wrote: > On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote: > > On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > > > > > > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > > > > > > > The concern is with a shared

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Theodore Ts'o writes: > On Fri, Jul 14, 2017 at 01:39:59PM -0700, James Bottomley wrote: >> but why?  That's partly the point of all of this: some security. >> attributes can't be written by container root without some supervision >> (the capability ones are the hugely problematic ones from this

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 13:39 -0700, James Bottomley wrote: > On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote: > > On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > > > > > > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > > > > > > > The concern is with a shared

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, Jul 14, 2017 at 01:39:59PM -0700, James Bottomley wrote: > but why?  That's partly the point of all of this: some security. > attributes can't be written by container root without some supervision > (the capability ones are the hugely problematic ones from this point of > view), but for

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, Jul 14, 2017 at 01:39:59PM -0700, James Bottomley wrote: > but why?  That's partly the point of all of this: some security. > attributes can't be written by container root without some supervision > (the capability ones are the hugely problematic ones from this point of > view), but for

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote: > On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > > > > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > > > > > The concern is with a shared filesystems.  In that case, for IMA > > > it would make sense to support a native

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 16:03 -0400, Mimi Zohar wrote: > On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > > > > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > > > > > The concern is with a shared filesystems.  In that case, for IMA > > > it would make sense to support a native

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > The concern is with a shared filesystems.  In that case, for IMA it > > would make sense to support a native and a namespace xattr.  If due > > to xattr space limitations we have to

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 11:52 -0700, James Bottomley wrote: > On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > > The concern is with a shared filesystems.  In that case, for IMA it > > would make sense to support a native and a namespace xattr.  If due > > to xattr space limitations we have to

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 15:29 -0400, Theodore Ts'o wrote: > On Fri, Jul 14, 2017 at 02:48:10PM -0400, Mimi Zohar wrote: > > > > If I'm understanding the discussion correctly, this isn't an issue for > > layered copy on write filesystems, as each fs layer could have it's > > own set of xattrs.  The

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 15:29 -0400, Theodore Ts'o wrote: > On Fri, Jul 14, 2017 at 02:48:10PM -0400, Mimi Zohar wrote: > > > > If I'm understanding the discussion correctly, this isn't an issue for > > layered copy on write filesystems, as each fs layer could have it's > > own set of xattrs.  The

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, Jul 14, 2017 at 02:48:10PM -0400, Mimi Zohar wrote: > > If I'm understanding the discussion correctly, this isn't an issue for > layered copy on write filesystems, as each fs layer could have it's > own set of xattrs.  The underlying and layered xattrs should be able > to co-exist.  Use

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, Jul 14, 2017 at 02:48:10PM -0400, Mimi Zohar wrote: > > If I'm understanding the discussion correctly, this isn't an issue for > layered copy on write filesystems, as each fs layer could have it's > own set of xattrs.  The underlying and layered xattrs should be able > to co-exist.  Use

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > "Serge E. Hallyn" writes: > > > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: > >> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >> >>On 07/13/2017

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote: > "Serge E. Hallyn" writes: > > > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: > >> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >> >>On 07/13/2017 08:38 PM, Eric W.

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/14/2017 01:36 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: Quoting Stefan Berger (stef...@linux.vnet.ibm.com): On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/14/2017 01:36 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: Quoting Stefan Berger (stef...@linux.vnet.ibm.com): On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 01:49 PM, Eric W. Biederman

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: >> Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >>> On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: > On 07/13/2017 01:49

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: >> Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >>> On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: > On 07/13/2017 01:49 PM, Eric W. Biederman wrote: > >> My big question

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > The concern is with a shared filesystems.  In that case, for IMA it > would make sense to support a native and a namespace xattr.  If due > to xattr space limitations we have to limit the number of xattrs, > then we should limit it to two - a

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 14:48 -0400, Mimi Zohar wrote: > The concern is with a shared filesystems.  In that case, for IMA it > would make sense to support a native and a namespace xattr.  If due > to xattr space limitations we have to limit the number of xattrs, > then we should limit it to two - a

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 12:35 -0500, Serge E. Hallyn wrote: > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > > On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: > > >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > > >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote: > > >>>Stefan Berger

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Fri, 2017-07-14 at 12:35 -0500, Serge E. Hallyn wrote: > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > > On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: > > >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > > >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote: > > >>>Stefan Berger

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

"Serge E. Hallyn" writes: > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: >> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> >>>Stefan Berger

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

"Serge E. Hallyn" writes: > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: >> >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> >>>Stefan Berger writes: >> >>> >> On 07/13/2017

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: > >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote: > >>>Stefan Berger writes: > >>> > On 07/13/2017 01:49

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: > >Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > >>On 07/13/2017 08:38 PM, Eric W. Biederman wrote: > >>>Stefan Berger writes: > >>> > On 07/13/2017 01:49 PM, Eric W. Biederman wrote:

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: Quoting Stefan Berger (stef...@linux.vnet.ibm.com): On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 01:49 PM, Eric W. Biederman wrote: My big question right now is can you

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/14/2017 09:34 AM, Serge E. Hallyn wrote: Quoting Stefan Berger (stef...@linux.vnet.ibm.com): On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 01:49 PM, Eric W. Biederman wrote: My big question right now is can you implement Ted's suggested

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 07/13/2017 08:38 PM, Eric W. Biederman wrote: > >Stefan Berger writes: > > > >>On 07/13/2017 01:49 PM, Eric W. Biederman wrote: > >> > >>>My big question right now is can you implement Ted's suggested >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 07/13/2017 08:38 PM, Eric W. Biederman wrote: > >Stefan Berger writes: > > > >>On 07/13/2017 01:49 PM, Eric W. Biederman wrote: > >> > >>>My big question right now is can you implement Ted's suggested > >>>restriction. Only one

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/14/2017 08:04 AM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 01:49 PM, Eric W. Biederman wrote: My big question right now is can you

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/14/2017 08:04 AM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 01:49 PM, Eric W. Biederman wrote: My big question right now is can you implement Ted's suggested restriction. Only one

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> Stefan Berger writes: >> >>> On 07/13/2017 01:49 PM, Eric W. Biederman wrote: >>> My big question right now is can you implement Ted's suggested

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/13/2017 08:38 PM, Eric W. Biederman wrote: >> Stefan Berger writes: >> >>> On 07/13/2017 01:49 PM, Eric W. Biederman wrote: >>> My big question right now is can you implement Ted's suggested restriction. Only one security.foo or secuirty.foo@...

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 01:49 PM, Eric W. Biederman wrote: My big question right now is can you implement Ted's suggested restriction. Only one security.foo or secuirty.foo@... attribute ? We need to

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On 07/13/2017 08:38 PM, Eric W. Biederman wrote: Stefan Berger writes: On 07/13/2017 01:49 PM, Eric W. Biederman wrote: My big question right now is can you implement Ted's suggested restriction. Only one security.foo or secuirty.foo@... attribute ? We need to raw-list the xattrs and do

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/13/2017 01:49 PM, Eric W. Biederman wrote: > > > My big question right now is can you implement Ted's suggested > > restriction. Only one security.foo or secuirty.foo@... attribute ? > We need to raw-list the xattrs and do the check

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/13/2017 01:49 PM, Eric W. Biederman wrote: > > > My big question right now is can you implement Ted's suggested > > restriction. Only one security.foo or secuirty.foo@... attribute ? > We need to raw-list the xattrs and do the check before writing them. I am >

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > For virtualizing the xattrs on the 'value' side I was looking for > whether there's something like a 'wrapper' structure around the > actual value of the xattr so that that wrapper could be extended to > support different values at different

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > For virtualizing the xattrs on the 'value' side I was looking for > whether there's something like a 'wrapper' structure around the > actual value of the xattr so that that wrapper could be extended to > support different values at different

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

"Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> Stefan Berger writes: >> >> > On 07/13/2017 01:14 PM, Eric W. Biederman wrote: >> >> Theodore Ts'o writes: >> >> >> >>> On Thu, Jul 13, 2017 at

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

"Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> Stefan Berger writes: >> >> > On 07/13/2017 01:14 PM, Eric W. Biederman wrote: >> >> Theodore Ts'o writes: >> >> >> >>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: >> The concise

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Eric W. Biederman (ebied...@xmission.com): > Stefan Berger writes: > If you don't care about the ownership of the files, and read only is > acceptable, and you still don't want to give these executables > capabilities in the initial user namespace. What you

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Eric W. Biederman (ebied...@xmission.com): > Stefan Berger writes: > If you don't care about the ownership of the files, and read only is > acceptable, and you still don't want to give these executables > capabilities in the initial user namespace. What you can do is > make everything

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Theodore Ts'o (ty...@mit.edu): > On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: > > The concise summary: > > > > Today we have the xattr security.capable that holds a set of > > capabilities that an application gains when executed. AKA setuid root exec > > without

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Theodore Ts'o (ty...@mit.edu): > On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: > > The concise summary: > > > > Today we have the xattr security.capable that holds a set of > > capabilities that an application gains when executed. AKA setuid root exec > > without

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Eric W. Biederman (ebied...@xmission.com): > Stefan Berger writes: > > > On 07/13/2017 01:14 PM, Eric W. Biederman wrote: > >> Theodore Ts'o writes: > >> > >>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: > The

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Eric W. Biederman (ebied...@xmission.com): > Stefan Berger writes: > > > On 07/13/2017 01:14 PM, Eric W. Biederman wrote: > >> Theodore Ts'o writes: > >> > >>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: > The concise summary: > > Today we have the

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Theodore Ts'o (ty...@mit.edu): > On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote: > > > Can you define what 'scalable' means for you in this context? > > > From what I can see sharing a filesystem between multiple containers > > > doesn't 'scale well' for virtualizing the

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Quoting Theodore Ts'o (ty...@mit.edu): > On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote: > > > Can you define what 'scalable' means for you in this context? > > > From what I can see sharing a filesystem between multiple containers > > > doesn't 'scale well' for virtualizing the

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote: > > Can you define what 'scalable' means for you in this context? > > From what I can see sharing a filesystem between multiple containers > > doesn't 'scale well' for virtualizing the xattrs primarily because of > > size

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote: > > Can you define what 'scalable' means for you in this context? > > From what I can see sharing a filesystem between multiple containers > > doesn't 'scale well' for virtualizing the xattrs primarily because of > > size

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/13/2017 01:14 PM, Eric W. Biederman wrote: >> Theodore Ts'o writes: >> >>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: The concise summary: Today we have the xattr security.capable

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/13/2017 01:14 PM, Eric W. Biederman wrote: >> Theodore Ts'o writes: >> >>> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: The concise summary: Today we have the xattr security.capable that holds a set of capabilities that an

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/13/2017 12:40 PM, Theodore Ts'o wrote: >> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: >>> The concise summary: >>> >>> Today we have the xattr security.capable that holds a set of >>> capabilities that an

Re: [PATCH v2] xattr: Enable security.capability in user namespaces

Stefan Berger writes: > On 07/13/2017 12:40 PM, Theodore Ts'o wrote: >> On Thu, Jul 13, 2017 at 07:11:36AM -0500, Eric W. Biederman wrote: >>> The concise summary: >>> >>> Today we have the xattr security.capable that holds a set of >>> capabilities that an application gains when executed. AKA

  1   2   >