Re: [PATCH 00/26] Permit filesystem local caching
Kyle Moffett <[EMAIL PROTECTED]> wrote: > One vaguely related question: Is there presently any way to adjust the > per-user max-key-data limit? There's no reason there can't be. It just needs a policy deciding. Do we have: (1) One control for all. (2) One control for all non-root users; no quotas on root. (3) One control for root, one control for all non-root users. (3) Separate controls for all users. Should this be a ulimit? Should a non-root user be able to adjust their own quotas within limits set by root? How should the quota be accessed? The obvious way is to have /proc or /sys controls. Non-root quotas tend to be transitory. When the user_struct pinning them goes out of scope, they tend to disappear. How do we recover the settings, if at all? David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 00/26] Permit filesystem local caching
James Morris <[EMAIL PROTECTED]> wrote: > > The SELinux base code will also need updating to have the security class, > > lest > > the following error appear in dmesg: > > > > context_struct_compute_av: unrecognized class 69 > > Alternately, what's needed is a newer policy which supports unknown > permission classes. Any recent distro policy should have this. I'm seeing this with an up to date Fedora 7 installation. Do I need F8 instead? David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 00/26] Permit filesystem local caching
James Morris [EMAIL PROTECTED] wrote: The SELinux base code will also need updating to have the security class, lest the following error appear in dmesg: context_struct_compute_av: unrecognized class 69 Alternately, what's needed is a newer policy which supports unknown permission classes. Any recent distro policy should have this. I'm seeing this with an up to date Fedora 7 installation. Do I need F8 instead? David -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 00/26] Permit filesystem local caching
Kyle Moffett [EMAIL PROTECTED] wrote: One vaguely related question: Is there presently any way to adjust the per-user max-key-data limit? There's no reason there can't be. It just needs a policy deciding. Do we have: (1) One control for all. (2) One control for all non-root users; no quotas on root. (3) One control for root, one control for all non-root users. (3) Separate controls for all users. Should this be a ulimit? Should a non-root user be able to adjust their own quotas within limits set by root? How should the quota be accessed? The obvious way is to have /proc or /sys controls. Non-root quotas tend to be transitory. When the user_struct pinning them goes out of scope, they tend to disappear. How do we recover the settings, if at all? David -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 00/26] Permit filesystem local caching
On Jan 15, 2008, at 18:46, David Howells wrote: (*) 01-keys-inc-payload.diff (*) 02-keys-search-keyring.diff (*) 03-keys-callout-blob.diff One vaguely related question: Is there presently any way to adjust the per-user max-key-data limit? I've been tinkering with using the new-ish MIT kerberos "KEYRING:" credentials-cache code to hold keys for persistent daemons. Unfortunately "root" keeps hitting the limit even with only about 16 keys allocated across a few sessions. After perusing the docs I can't find any documentation on adjusting the limits. I'd really like some way to specifically allow root to allocate up to several megs worth of non-swappable key data, although I suppose just increasing the global limit slightly wouldn't be bad either. If such functionality already exists then I'd appreciate a pointer to it (and possibly respond in kind with documentation patches). Cheers, Kyle Moffett -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 00/26] Permit filesystem local caching
On Tue, 15 Jan 2008, David Howells wrote: > > (*) 04-keys-get-label.diff > > A patch to allow the security label of a key to be retrieved. > Included because of patches 05-08. > > (*) 05-security-current-fsugid.diff > (*) 06-security-separate-task-bits.diff > (*) 07-security-subjective.diff > (*) 08-security-secctx2secid.diff > (*) 09-security-additional-classes.diff > (*) 10-security-kernel_service-class.diff > (*) 11-security-kernel-service.diff All of the security patches look ok to me. From the SELinux pov, this will need to go in after Paul Moore's labeled networking update (hopefully very soon after the next merge window opens). - James -- James Morris <[EMAIL PROTECTED]> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 00/26] Permit filesystem local caching
On Tue, 15 Jan 2008, David Howells wrote: > The SELinux base code will also need updating to have the security class, lest > the following error appear in dmesg: > > context_struct_compute_av: unrecognized class 69 Alternately, what's needed is a newer policy which supports unknown permission classes. Any recent distro policy should have this. - James -- James Morris <[EMAIL PROTECTED]> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 00/26] Permit filesystem local caching
These patches add local caching for network filesystems such as NFS. The patches can roughly be broken down into a number of sets: (*) 01-keys-inc-payload.diff (*) 02-keys-search-keyring.diff (*) 03-keys-callout-blob.diff Three patches to the keyring code made to help the CIFS people. Included because of patches 05-08. (*) 04-keys-get-label.diff A patch to allow the security label of a key to be retrieved. Included because of patches 05-08. (*) 05-security-current-fsugid.diff (*) 06-security-separate-task-bits.diff (*) 07-security-subjective.diff (*) 08-security-secctx2secid.diff (*) 09-security-additional-classes.diff (*) 10-security-kernel_service-class.diff (*) 11-security-kernel-service.diff Patches to permit the subjective security of a task to be overridden. All the security details in task_struct are decanted into a new struct that task_struct then has two pointers two: one that defines the objective security of that task (how other tasks may affect it) and one that defines the subjective security (how it may affect other objects). Note that I have dropped the idea of struct cred for the moment. With the amount of stuff that was excluded from it, it wasn't actually any use to me. However, it can be added later. Required for cachefiles. (*) 12-release-page.diff (*) 13-fscache-page-flags.diff (*) 14-add_wait_queue_tail.diff (*) 15-fscache.diff Patches to provide a local caching facility for network filesystems. (*) 16-cachefiles-ia64.diff (*) 17-cachefiles-ext3-f_mapping.diff (*) 18-cachefiles-write.diff (*) 19-cachefiles-monitor.diff (*) 20-cachefiles-export.diff (*) 21-cachefiles.diff Patches to provide a local cache in a directory of an already mounted filesystem. (*) 22-nfs-memleak.diff (*) 23-fscache-nfs.diff (*) 24-fscache-nfs-mount.diff (*) 25-fscache-nfs-display.diff (*) 26-fscache-nfs-persb.diff Patches to provide NFS with local caching. The fifth of these patches makes caching configurable per superblock. This release is mainly for the security guys (esp Stephen and Casey) to have a look at to see if they are happy with the security stuff. The SELinux base code will also need updating to have the security class, lest the following error appear in dmesg: context_struct_compute_av: unrecognized class 69 I know Nick Piggin has a couple of issues still, but I'll look again at those next. Andrew, Linus, can you please hold off on taking these patches for the moment. -- A tarball of the patches is available at: http://people.redhat.com/~dhowells/fscache/patches/nfs+fscache-26.tar.bz2 To use this version of CacheFiles, the cachefilesd-0.9 is also required. It is available as an SRPM: http://people.redhat.com/~dhowells/fscache/cachefilesd-0.9-1.fc7.src.rpm Or as individual bits: http://people.redhat.com/~dhowells/fscache/cachefilesd-0.9.tar.bz2 http://people.redhat.com/~dhowells/fscache/cachefilesd.fc http://people.redhat.com/~dhowells/fscache/cachefilesd.if http://people.redhat.com/~dhowells/fscache/cachefilesd.te http://people.redhat.com/~dhowells/fscache/cachefilesd.spec The .fc, .if and .te files are for manipulating SELinux. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 00/26] Permit filesystem local caching
These patches add local caching for network filesystems such as NFS. The patches can roughly be broken down into a number of sets: (*) 01-keys-inc-payload.diff (*) 02-keys-search-keyring.diff (*) 03-keys-callout-blob.diff Three patches to the keyring code made to help the CIFS people. Included because of patches 05-08. (*) 04-keys-get-label.diff A patch to allow the security label of a key to be retrieved. Included because of patches 05-08. (*) 05-security-current-fsugid.diff (*) 06-security-separate-task-bits.diff (*) 07-security-subjective.diff (*) 08-security-secctx2secid.diff (*) 09-security-additional-classes.diff (*) 10-security-kernel_service-class.diff (*) 11-security-kernel-service.diff Patches to permit the subjective security of a task to be overridden. All the security details in task_struct are decanted into a new struct that task_struct then has two pointers two: one that defines the objective security of that task (how other tasks may affect it) and one that defines the subjective security (how it may affect other objects). Note that I have dropped the idea of struct cred for the moment. With the amount of stuff that was excluded from it, it wasn't actually any use to me. However, it can be added later. Required for cachefiles. (*) 12-release-page.diff (*) 13-fscache-page-flags.diff (*) 14-add_wait_queue_tail.diff (*) 15-fscache.diff Patches to provide a local caching facility for network filesystems. (*) 16-cachefiles-ia64.diff (*) 17-cachefiles-ext3-f_mapping.diff (*) 18-cachefiles-write.diff (*) 19-cachefiles-monitor.diff (*) 20-cachefiles-export.diff (*) 21-cachefiles.diff Patches to provide a local cache in a directory of an already mounted filesystem. (*) 22-nfs-memleak.diff (*) 23-fscache-nfs.diff (*) 24-fscache-nfs-mount.diff (*) 25-fscache-nfs-display.diff (*) 26-fscache-nfs-persb.diff Patches to provide NFS with local caching. The fifth of these patches makes caching configurable per superblock. This release is mainly for the security guys (esp Stephen and Casey) to have a look at to see if they are happy with the security stuff. The SELinux base code will also need updating to have the security class, lest the following error appear in dmesg: context_struct_compute_av: unrecognized class 69 I know Nick Piggin has a couple of issues still, but I'll look again at those next. Andrew, Linus, can you please hold off on taking these patches for the moment. -- A tarball of the patches is available at: http://people.redhat.com/~dhowells/fscache/patches/nfs+fscache-26.tar.bz2 To use this version of CacheFiles, the cachefilesd-0.9 is also required. It is available as an SRPM: http://people.redhat.com/~dhowells/fscache/cachefilesd-0.9-1.fc7.src.rpm Or as individual bits: http://people.redhat.com/~dhowells/fscache/cachefilesd-0.9.tar.bz2 http://people.redhat.com/~dhowells/fscache/cachefilesd.fc http://people.redhat.com/~dhowells/fscache/cachefilesd.if http://people.redhat.com/~dhowells/fscache/cachefilesd.te http://people.redhat.com/~dhowells/fscache/cachefilesd.spec The .fc, .if and .te files are for manipulating SELinux. David -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 00/26] Permit filesystem local caching
On Tue, 15 Jan 2008, David Howells wrote: The SELinux base code will also need updating to have the security class, lest the following error appear in dmesg: context_struct_compute_av: unrecognized class 69 Alternately, what's needed is a newer policy which supports unknown permission classes. Any recent distro policy should have this. - James -- James Morris [EMAIL PROTECTED] -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 00/26] Permit filesystem local caching
On Tue, 15 Jan 2008, David Howells wrote: (*) 04-keys-get-label.diff A patch to allow the security label of a key to be retrieved. Included because of patches 05-08. (*) 05-security-current-fsugid.diff (*) 06-security-separate-task-bits.diff (*) 07-security-subjective.diff (*) 08-security-secctx2secid.diff (*) 09-security-additional-classes.diff (*) 10-security-kernel_service-class.diff (*) 11-security-kernel-service.diff All of the security patches look ok to me. From the SELinux pov, this will need to go in after Paul Moore's labeled networking update (hopefully very soon after the next merge window opens). - James -- James Morris [EMAIL PROTECTED] -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 00/26] Permit filesystem local caching
On Jan 15, 2008, at 18:46, David Howells wrote: (*) 01-keys-inc-payload.diff (*) 02-keys-search-keyring.diff (*) 03-keys-callout-blob.diff One vaguely related question: Is there presently any way to adjust the per-user max-key-data limit? I've been tinkering with using the new-ish MIT kerberos KEYRING: credentials-cache code to hold keys for persistent daemons. Unfortunately root keeps hitting the limit even with only about 16 keys allocated across a few sessions. After perusing the docs I can't find any documentation on adjusting the limits. I'd really like some way to specifically allow root to allocate up to several megs worth of non-swappable key data, although I suppose just increasing the global limit slightly wouldn't be bad either. If such functionality already exists then I'd appreciate a pointer to it (and possibly respond in kind with documentation patches). Cheers, Kyle Moffett -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/