On Tue, Jun 20, 2017 at 8:33 PM, Stefan Berger <stef...@linux.vnet.ibm.com> wrote: > On 06/20/2017 08:19 AM, Stefan Berger wrote: >> >> On 06/20/2017 01:42 AM, Amir Goldstein wrote:
>>>> >>> Apropos stackable filesystems [cc some overlayfs folks], is there any >>> way that parts of this work could be generalized towards ns aware >>> trusted@uid.* xattr? >> >> >> I am at least removing all string comparison with xattr names from the >> core code and move the enabled xattr names into a list. For the security.* >> extended attribute names we would enumerated the enabled ones in that list, >> only security.capability for now. I am not sure how the trusted.* space >> works. > > > I extended 'the infrastructure' now to support prefix matching for trusted.* > and probably others as well. It's fairly easy to do that but would not write > the code like that for exact string matching to support security.capability. > The patch lets me write trusted.foo@uid=100 from within the userns if > uid=100 exists, rejects it otherwise. It may be written out as > trusted.foo@uid=1100 for root mapping to uid 1000. I can list this entry on > the host. For some reason trusted.* is not listed at all inside the userns. > So something else needs to be enabled as well. For now it looks like this: > > > https://github.com/stefanberger/linux/commit/8ae131e731c9e1def92a2100697632ea35e007d0 > That looks useful! I hope someone who knows his way around trusted xattr can say what's missing. Thanks, Amir.
