Re: [systemd-devel] [PATCH 2/2] policy: make policy checks work across user namespaces
On Tue, Sep 09, 2014 at 10:40:57AM +0200, Daniel Mack wrote: > On 09/08/2014 03:50 PM, Djalal Harouni wrote: > > Yes there are compile time checks, and it is perhaps easier/consistent > > to read this way! but yes a union is also good. OK I'll update it. > > Nevermind - I amended the your patch accordingly and pushed it. Oh sorry, and thank you for fixing that :-) -- Djalal Harouni http://opendz.org ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 2/2] policy: make policy checks work across user namespaces
On 09/08/2014 03:50 PM, Djalal Harouni wrote: > Yes there are compile time checks, and it is perhaps easier/consistent > to read this way! but yes a union is also good. OK I'll update it. Nevermind - I amended the your patch accordingly and pushed it. Thanks! Daniel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 2/2] policy: make policy checks work across user namespaces
On Mon, Sep 08, 2014 at 03:27:42PM +0200, Daniel Mack wrote:
> On 09/08/2014 03:18 PM, Djalal Harouni wrote:
> > * This is the internal version of struct kdbus_policy_db_access.
> > @@ -51,7 +52,8 @@ struct kdbus_policy_db_cache_entry {
> > struct kdbus_policy_db_entry_access {
> > u8 type;/* USER, GROUP, WORLD */
> > u8 access; /* OWN, TALK, SEE */
> > - u64 id; /* uid, gid, 0 */
> > + kuid_t uid; /* global uid */
> > + kgid_t gid; /* global gid */
>
> Such an entry can only either be referring to a user or group rule,
> determined by the 'type' field. Hence, having two members in the struct
> is overkill. I understand you did this to have the real kernel types in
> place, but we can put the two things in a union, right?
Yes there are compile time checks, and it is perhaps easier/consistent
to read this way! but yes a union is also good. OK I'll update it.
BTW there is a *small* optimization that we can also add later to the
"case KDBUS_POLICY_ACCESS_GROUP:" when we walk the additional group and
match, instead of linear we can do a binary search since groups are
sorted, there is kernel/groups.c:groups_search() which should do the job
but the symbol is not exported...
Ok will update/test for the union case and send it later, thank you!
--
Djalal Harouni
http://opendz.org
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 2/2] policy: make policy checks work across user namespaces
On 09/08/2014 03:18 PM, Djalal Harouni wrote:
> * This is the internal version of struct kdbus_policy_db_access.
> @@ -51,7 +52,8 @@ struct kdbus_policy_db_cache_entry {
> struct kdbus_policy_db_entry_access {
> u8 type;/* USER, GROUP, WORLD */
> u8 access; /* OWN, TALK, SEE */
> - u64 id; /* uid, gid, 0 */
> + kuid_t uid; /* global uid */
> + kgid_t gid; /* global gid */
Such an entry can only either be referring to a user or group rule,
determined by the 'type' field. Hence, having two members in the struct
is overkill. I understand you did this to have the real kernel types in
place, but we can put the two things in a union, right?
The rest looks good!
Thanks,
Daniel
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
