At 2017-09-21 05:30:46, "David Miller" wrote:
>From: gfree.w...@vip.163.com
>Date: Tue, 19 Sep 2017 22:32:48 +0800
>
>> From: Gao Feng
>>
>> There is no one which would invokes the function skb_header_release.
>> So just remove it now.
>>
>&
On Thu, Oct 27, 2016 at 11:56 AM, zhongjiang wrote:
> From: zhong jiang
>
> when I compiler the newest kernel, I hit the following error with
> Werror=may-uninitalized.
>
> net/core/flow_dissector.c: In function ?._skb_flow_dissect?
> include/uapi/linux/swab.h:100:46: error: ?.lan?.may be used un
On Wed, Aug 31, 2016 at 12:14 PM, Eric Dumazet wrote:
> On Wed, 2016-08-31 at 10:56 +0800, f...@ikuai8.com wrote:
>> From: Gao Feng
>>
>> The original codes depend on that the function parameters are evaluated from
>> left to right. But the parameter's eval
On 01/17/2014 06:29 AM, Serge E. Hallyn wrote:
> Quoting Gao feng (gaof...@cn.fujitsu.com):
>> Add a compare function which always return true for
>> audit netlink socket, this will cause audit netlink
>> sockets netns unaware, and no matter which netns the
>> user
per-netns
audit kernel side socket(audit_sock), it's pain to
depend on and get reference of netns for auditns.
Signed-off-by: Gao feng
---
kernel/audit.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index b62153a..2ac6212 100644
--- a/kernel/au
this will make things easy and we needn't to
consider the complicate cases.
Signed-off-by: Gao feng
---
kernel/audit.c | 61 ++
kernel/audit.h | 4
2 files changed, 10 insertions(+), 55 deletions(-)
diff --git a/kernel/audit.c b/
On 01/08/2014 08:53 AM, Andrew Morton wrote:
> On Tue, 17 Dec 2013 11:10:41 +0800 Gao feng wrote:
>
>> print the error message and then return -ENOMEM.
>>
>> ...
>>
>> --- a/kernel/audit.c
>> +++ b/kernel/audit.c
>> @@ -1083,12 +1083,11 @@ stat
On 01/06/2014 03:54 PM, Libo Chen wrote:
> On 2014/1/3 13:20, Cong Wang wrote:
>> On Thu, Jan 2, 2014 at 7:11 PM, Libo Chen
>> wrote:
>>> Hi guys,
>>>
>>> Now, lxc created with veth can not be under control by
>>> cls_cgroup.
>>>
>>> the former discussion:
>>> http://lkml.indiana.edu/hypermail/li
On 12/24/2013 07:47 AM, Richard Guy Briggs wrote:
> On 13/12/09, Gao feng wrote:
>> On 12/07/2013 05:31 AM, Serge E. Hallyn wrote:
>>> Quoting Gao feng (gaof...@cn.fujitsu.com):
>
>>>> The main target of this patchset is allowing user in audit
>>>> nam
On 12/21/2013 05:15 AM, Serge E. Hallyn wrote:
> Quoting Gao feng (gaof...@cn.fujitsu.com):
>> On 12/11/2013 04:36 AM, Serge E. Hallyn wrote:
>>> Quoting Eric Paris (epa...@redhat.com):
>>>> On Tue, 2013-12-10 at 10:51 -0600, Serge Hallyn wrote:
>>>>
On 12/20/2013 11:11 AM, Eric Paris wrote:
> On Fri, 2013-12-20 at 10:46 +0800, Gao feng wrote:
>> On 12/20/2013 02:40 AM, Eric Paris wrote:
>>> On Thu, 2013-12-19 at 11:59 +0800, Gao feng wrote:
>>>> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote:
>
>>&
On 12/20/2013 02:40 AM, Eric Paris wrote:
> On Thu, 2013-12-19 at 11:59 +0800, Gao feng wrote:
>> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote:
>>> Convert audit from only listening in init_net to use
>>> register_pernet_subsys()
>>> to dynami
On 12/20/2013 09:40 AM, Richard Guy Briggs wrote:
> On 13/12/20, Gao feng wrote:
>> On 12/20/2013 09:19 AM, Richard Guy Briggs wrote:
>>> On 13/12/19, Gao feng wrote:
>>>> On 12/19/2013 10:34 AM, Gao feng wrote:
>>>>> kernel/capability.c: In function ‘
On 12/20/2013 09:19 AM, Richard Guy Briggs wrote:
> On 13/12/19, Gao feng wrote:
>> On 12/19/2013 10:34 AM, Gao feng wrote:
>>> kernel/capability.c: In function ‘SYSC_capset’:
>>> kernel/capability.c:280:2: warning: passing argument 1 of
>>> ‘audit_log_capset’
On 12/20/2013 02:40 AM, Eric Paris wrote:
> On Thu, 2013-12-19 at 11:59 +0800, Gao feng wrote:
>> On 07/17/2013 04:32 AM, Richard Guy Briggs wrote:
>>> Convert audit from only listening in init_net to use
>>> register_pernet_subsys()
>>> to dynami
ns unaware, and no matter which netns the
user space audit netlink sockets belong to, they all
can find out and communicate with audit_sock.
This gets rid of the necessary to create per-netns
audit kernel side socket(audit_sock), it's pain to
depend on and get reference of netns for aud
On 12/19/2013 10:34 AM, Gao feng wrote:
> kernel/capability.c: In function ‘SYSC_capset’:
> kernel/capability.c:280:2: warning: passing argument 1 of ‘audit_log_capset’
> makes integer from pointer without a cast [enabled by default]
> audit_log_capset(new, current_cred());
>
());
^
In file included from kernel/capability.c:10:0:
include/linux/audit.h:400:20: note: declared here
static inline void audit_log_capset(pid_t pid, const struct cred *new,
^
make[1]: *** [kernel/capability.o] Error 1
Signed-off-by: Gao feng
---
include/linux/audit.h | 4 ++--
1
print the error message and then return -ENOMEM.
Signed-off-by: Gao feng
---
kernel/audit.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2a0ed0b..041b951 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1083,12 +1083,11
an be released anytime,
so the audit_sock may point to invalid socket.
this patch sets the audit_sock to the kernel side audit
netlink socket.
Signed-off-by: Gao feng
---
kernel/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 04
On 12/11/2013 04:36 AM, Serge E. Hallyn wrote:
> Quoting Eric Paris (epa...@redhat.com):
>> On Tue, 2013-12-10 at 10:51 -0600, Serge Hallyn wrote:
>>> Quoting Gao feng (gaof...@cn.fujitsu.com):
>>>> On 12/10/2013 02:26 AM, Serge Hallyn wrote:
>>>>
On 12/10/2013 02:26 AM, Serge Hallyn wrote:
> Quoting Gao feng (gaof...@cn.fujitsu.com):
>> On 12/07/2013 06:12 AM, Serge E. Hallyn wrote:
>>> Quoting Gao feng (gaof...@cn.fujitsu.com):
>>>> Hi
>>>>
>>>> On 10/24/2013 03:31 PM, Gao feng wrote:
On 12/10/2013 01:53 AM, Serge Hallyn wrote:
> Quoting Gao feng (gaof...@cn.fujitsu.com):
>> On 12/07/2013 06:10 AM, Serge E. Hallyn wrote:
>>> Quoting Gao feng (gaof...@cn.fujitsu.com):
>>>> Since there is no more place for flags of clone system call.
>>>
Hi Serge,
Thanks for your comments!
On 12/07/2013 05:31 AM, Serge E. Hallyn wrote:
> Quoting Gao feng (gaof...@cn.fujitsu.com):
>> Here is the v1 patchset: http://lwn.net/Articles/549546/
>>
>> The main target of this patchset is allowing user in audit
>> namespace to
On 12/07/2013 06:12 AM, Serge E. Hallyn wrote:
> Quoting Gao feng (gaof...@cn.fujitsu.com):
>> Hi
>>
>> On 10/24/2013 03:31 PM, Gao feng wrote:
>>> Here is the v1 patchset: http://lwn.net/Articles/549546/
>>>
>>> The main target of this patchset is
On 12/07/2013 06:10 AM, Serge E. Hallyn wrote:
> Quoting Gao feng (gaof...@cn.fujitsu.com):
>> Since there is no more place for flags of clone system call.
>> we need to find a way to create audit namespace.
>>
>> this patch add a new type of message AUDIT_CREATE_NS.
&
On 12/07/2013 06:00 AM, Serge E. Hallyn wrote:
> Quoting Gao feng (gaof...@cn.fujitsu.com):
>> 1, remove the permission check of pid namespace. it's no reason
>>to deny un-init pid namespace to operate audit subsystem.
>>
>> 2, only allow init user names
Hi
On 10/24/2013 03:31 PM, Gao feng wrote:
> Here is the v1 patchset: http://lwn.net/Articles/549546/
>
> The main target of this patchset is allowing user in audit
> namespace to generate the USER_MSG type of audit message,
> some userspace tools need to generate audit message, o
On 11/19/2013 08:04 AM, Steven Rostedt wrote:
>
> I'll start out saying that this email was a complete oops. I only kept
> it around for reference, as this didn't fix the bug we were seeing, and
> I used this email to just document what I initially thought.
>
Can you describe the panic situation
On 11/15/2013 12:54 PM, Eric W. Biederman wrote:
> Gao feng writes:
>
>> On 11/15/2013 12:54 AM, Andy Lutomirski wrote:
>>> On Thu, Nov 14, 2013 at 3:10 AM, Gao feng wrote:
>>>> On 11/13/2013 03:26 PM, Gao feng wrote:
>>>>> On 11/09/2013 01:42
On 11/15/2013 12:54 AM, Andy Lutomirski wrote:
> On Thu, Nov 14, 2013 at 3:10 AM, Gao feng wrote:
>> On 11/13/2013 03:26 PM, Gao feng wrote:
>>> On 11/09/2013 01:42 PM, Eric W. Biederman wrote:
>>>> Right now I would rather not have the empty directory except
On 11/15/2013 07:50 AM, Eric W. Biederman wrote:
> Gao feng writes:
>
>> Privileged user should have rights to mount/umount/move
>> these even locked mount.
>
> Hmm. This is pretty much a can't happen case, as the only exist in mount
> namespaces where the glob
On 11/13/2013 03:26 PM, Gao feng wrote:
> On 11/09/2013 01:42 PM, Eric W. Biederman wrote:
>> Gao feng writes:
>>
>>> On 11/02/2013 02:06 PM, Gao feng wrote:
>>>> Hi Eric,
>>>>
>>>> On 08/28/2013 05:44 AM, Eric W. Biederman wrote:
>&g
Privileged user should have rights to mount/umount/move
these even locked mount.
Signed-off-by: Gao feng
---
fs/namespace.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index da5c494..7097fc7 100644
--- a/fs/namespace.c
On 11/09/2013 01:42 PM, Eric W. Biederman wrote:
> Gao feng writes:
>
>> On 11/02/2013 02:06 PM, Gao feng wrote:
>>> Hi Eric,
>>>
>>> On 08/28/2013 05:44 AM, Eric W. Biederman wrote:
>>>>
>>>> Rely on the fact that another flavor of
On 11/02/2013 02:06 PM, Gao feng wrote:
> Hi Eric,
>
> On 08/28/2013 05:44 AM, Eric W. Biederman wrote:
>>
>> Rely on the fact that another flavor of the filesystem is already
>> mounted and do not rely on state in the user namespace.
>>
>> Verify that the m
On 11/06/2013 03:14 AM, Richard Guy Briggs wrote:
> On Tue, Nov 05, 2013 at 04:56:55PM +0800, Gao feng wrote:
>> On 11/05/2013 04:11 PM, Li Zefan wrote:
>>> On 2013/11/5 15:52, Gao feng wrote:
>>>> On 11/05/2013 03:51 PM, Gao feng wrote:
>>>>> Ping...
On 11/05/2013 04:11 PM, Li Zefan wrote:
> On 2013/11/5 15:52, Gao feng wrote:
>> On 11/05/2013 03:51 PM, Gao feng wrote:
>>> Ping...
>>>
>>
>> I want to catch up the merge window..
>>
>
> Even if your patches are accepted by a certain maintaine
On 11/05/2013 03:51 PM, Gao feng wrote:
> Ping...
>
I want to catch up the merge window..
> On 10/31/2013 11:52 AM, Gao feng wrote:
>> Hi Eric Paris,
>>
>> Can you give me some comments?
>>
>> You think the tying audit namespace to user namespace is
Ping...
On 10/31/2013 11:52 AM, Gao feng wrote:
> Hi Eric Paris,
>
> Can you give me some comments?
>
> You think the tying audit namespace to user namespace is a bad idea,
> so this patchset doesn't assign auditns to userns and introduce an
> new audit netlink ty
Hi Eric,
On 08/28/2013 05:44 AM, Eric W. Biederman wrote:
>
> Rely on the fact that another flavor of the filesystem is already
> mounted and do not rely on state in the user namespace.
>
> Verify that the mounted filesystem is not covered in any significant
> way. I would love to verify that t
Since kernel parameter is operated before
initcall, so the audit_initialized must be
AUDIT_UNINITIALIZED or DISABLED in audit_enable.
Signed-off-by: Gao feng
---
kernel/audit.c | 13 ++---
1 file changed, 2 insertions(+), 11 deletions(-)
change from v1:
convert "printk(KERN_INFO
chset also makes all of net namespaces have ability to send/
receive audit netlink message.
I may miss some points, if you find there are some shortage or loophole,
please let me know.
Thanks!
On 10/24/2013 03:31 PM, Gao feng wrote:
> Here is the v1 patchset: http://lwn.net/Articles/549546/
This patch allow to log audit config change in
audit namespace.
Signed-off-by: Gao feng
---
kernel/audit.c | 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 92da21d..095f54d 100644
--- a/kernel/audit.c
+++ b/kernel
This patch makes audit_skb_queue per audit namespace,
Since we haven't finished the preparations, only
allow user to attach/detach skb to the queue of
init_audit_ns.
Signed-off-by: Gao feng
---
include/linux/audit_namespace.h | 3 +++
kernel/audit.c | 18 +---
kauditd_task is used to send audit netlink messages
to the user space auditd process. Because the netlink
messages are per audit namespace, we should make
kaudit_task per auditns to operate the right netlink
skb.
Signed-off-by: Gao feng
---
include/linux/audit_namespace.h | 12
per-netns
audit kernel side socket(audit_sock), it's pain to
depend on and get reference of netns for auditns.
Signed-off-by: Gao feng
---
kernel/audit.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index 7b0e23a..468950b 100644
--- a/kernel/au
Tasks are added to audit_backlog_wait when the
audit_skb_queue of audit namespace is full, so
audit_backlog_wait should be per audit namespace too.
Signed-off-by: Gao feng
---
include/linux/audit_namespace.h | 1 +
kernel/audit.c | 11 +--
2 files changed, 6 insertions
Signed-off-by: Gao feng
---
kernel/audit.c | 34 +-
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 5524deb..b203017 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -338,11 +338,11 @@ static int
ff-by: Gao feng
---
include/linux/audit_namespace.h | 2 ++
kernel/audit.c | 43 ++---
kernel/audit.h | 5 ++---
kernel/auditsc.c| 6 +++---
4 files changed, 39 insertions(+), 17 deletions(-)
diff --git a/in
mespace.
Signed-off-by: Gao feng
---
include/linux/audit_namespace.h | 51 +
include/linux/nsproxy.h | 11 +
init/Kconfig| 10
kernel/Makefile | 2 +-
kernel/audit_namespace.c| 8
This patch makes audit_skb_hold_queue per audit namespace.
Signed-off-by: Gao feng
---
include/linux/audit_namespace.h | 3 +++
kernel/audit.c | 12 +---
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/include/linux/audit_namespace.h b/include/linux
I send this patchset now in order to get more comments, so
I can keep on improving namespace support for audit.
Gao feng (20):
Audit: make audit netlink socket net namespace unaware
audit: introduce configure option CONFIG_AUDIT_NS
audit: make audit_skb_queue per audit namespace
audit: make
Only these two vars are namespace aware.
Signed-off-by: Gao feng
---
kernel/audit.c | 26 --
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index d7a0993..2132929 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -685,16
Signed-off-by: Gao feng
---
kernel/audit.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 2132929..5524deb 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -662,11 +662,11 @@ static int audit_receive_msg(struct sk_buff *skb
This interface audit_log_start_ns and audit_log_end_ns
will be used for logging audit logs in audit namespace.
Signed-off-by: Gao feng
---
include/linux/audit.h | 26 +--
kernel/audit.c| 92 ++-
2 files changed, 77 insertions
kauditd_task is added to the wait queue kaudit_wait when
there is no audit message being generated in audit namespace,
so the kaudit_wait should be per audit namespace too.
Signed-off-by: Gao feng
---
include/linux/audit_namespace.h | 2 ++
kernel/audit.c | 8
2 files
audit moudule will use create_new_namespaces to
create new nsproxy.
Signed-off-by: Gao feng
---
include/linux/nsproxy.h | 4
kernel/nsproxy.c| 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/linux/nsproxy.h b/include/linux/nsproxy.h
index dc7af11
The audit log that generated in audit namespace should be
received by the auditd running in this audit namespace.
Signed-off-by: Gao feng
---
kernel/audit.c | 21 +++--
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 5ac7365
audit configuration, send
userspace audit message.
Signed-off-by: Gao feng
---
kernel/audit.c | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 095f54d..c4d4291 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -573,11 +
erate audit log.
Signed-off-by: Gao feng
---
include/linux/audit_namespace.h | 2 ++
kernel/audit.c | 47 +++--
2 files changed, 28 insertions(+), 21 deletions(-)
diff --git a/include/linux/audit_namespace.h b/include/linux/audit_namespace.h
, the audit_backlog_limit will be per
audit namesapace, but only the privileged user has rights to
modify it. and the default value of audit_backlog_limit for
uninit audit namespace will be set to 0.
And the audit_rate_limit will be limited too.
Signed-off-by: Gao feng
---
include/
through create user namespace and then create audit
namespace.
Inder to keep the consistent behavior as before, for init
audit namespace, the backlog_limit can be changed only
through netlink interface.
Signed-off-by: Gao feng
---
fs/proc/base.c | 53 +
include
We should use audit_nlk_portid to decide to send
audit netlink message to which auditd processes.
it should be per audit namespace too.
Signed-off-by: Gao feng
---
include/linux/audit_namespace.h | 2 ++
kernel/audit.c | 14 --
2 files changed, 6 insertions(+), 10
On 10/24/2013 03:55 AM, Richard Guy Briggs wrote:
> On Tue, Oct 15, 2013 at 02:30:34PM +0800, Gao feng wrote:
>> Hi Toshiyuki-san,
>
> Toshiuki and Gao,
>
>> On 10/15/2013 12:43 PM, Toshiyuki Okajima wrote:
>>> The backlog cannot be consumed when audit_log_start
Since kernel parameter is operated before
initcall, so the audit_initialized must be
AUDIT_UNINITIALIZED or DISABLED in audit_enable.
Signed-off-by: Gao feng
---
kernel/audit.c | 13 ++---
1 file changed, 2 insertions(+), 11 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
On 10/24/2013 03:20 AM, Richard Guy Briggs wrote:
> On Wed, Oct 23, 2013 at 07:25:23PM +0800, Gao feng wrote:
>> The "pid" is not a suitable name for netlink port,
>> change it to "portid".
>
> That is already in the works:
> https://www.redhat.c
The "pid" is not a suitable name for netlink port,
change it to "portid".
more information, please see commit
15e473046cb6e5d18a4d0057e61d76315230382b
Signed-off-by: Gao feng
---
kernel/audit.c | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --
On 10/23/2013 01:59 AM, Richard Guy Briggs wrote:
> On Mon, Oct 21, 2013 at 04:01:40PM +0800, Gao feng wrote:
>> As the man page of auditctl said:
>> "
>> -b backlog
>> Set max number of outstanding audit buffers allowed (Kernel
>> Default=64)
On 10/21/2013 03:24 PM, Gu Zheng wrote:
> +static inline void *f2fs_kmem_cache_alloc(struct kmem_cache *cachep,
> + gfp_t flags)
> +{
> + void *entry = kmem_cache_alloc(cachep, flags);
> +retry:
retry after kmem_cache_alloc?
> + if (!entry) {
>
t means no audit buffer
should be allocated.
Signed-off-by: Gao feng
---
kernel/audit.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 7b0e23a..bbb4000 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1104,14 +1104,16 @@ struct au
i Okajima
> Cc: gaof...@cn.fujitsu.com
> ---
> kernel/audit.c | 14 --
> 1 files changed, 8 insertions(+), 6 deletions(-)
>
Looks good to me, thanks!
Reviewed-by: Gao feng
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 7b0e23a..29cfc94 100644
> -
Hi Toshiyuki-san,
On 10/15/2013 12:43 PM, Toshiyuki Okajima wrote:
> The backlog cannot be consumed when audit_log_start is running on auditd
> even if audit_log_start calls wait_for_auditd to consume it.
> The situation is a deadlock because only auditd can consume the backlog.
> If the other proc
On 10/11/2013 09:36 AM, Toshiyuki Okajima wrote:
> Hi.
>
> The following reproducer causes auditd daemon hang up.
> (But the hang up is released after the audit_backlog_wait_time passes.)
> # auditctl -a exit,always -S all
> # reboot
>
>
> I reproduced the hangup on KVM, and then got a crash
On 08/07/2013 03:55 PM, Eric W. Biederman wrote:
>
> Since this still has not been addressed. I am going to repeat Andrews
> objection again.
>
> Isn't there a better way to get iptables information out than to use
> syslog. I did not have time to follow up on that but it did appear that
> some
On 08/01/2013 11:10 AM, Rui Xiang wrote:
> On 2013/8/1 9:36, Gao feng wrote:
>> On 07/29/2013 10:31 AM, Rui Xiang wrote:
>>> This patch makes syslog buf and other fields per
>>> namespace.
>>>
>>> Here use ns->log_buf(log_buf_len, logbuf_lock,
&
On 07/29/2013 10:31 AM, Rui Xiang wrote:
> This patch makes syslog buf and other fields per
> namespace.
>
> Here use ns->log_buf(log_buf_len, logbuf_lock,
> log_first_seq, logbuf_lock, and so on) fields
> instead of global ones to handle syslog.
>
> Syslog interfaces such as /dev/kmsg, /proc/kms
On 07/30/2013 11:57 AM, Dave Chinner wrote:
> On Tue, Jul 30, 2013 at 11:15:50AM +0800, Gao feng wrote:
>> On 07/29/2013 03:51 PM, Dave Chinner wrote:
>>> http://oss.sgi.com/pipermail/xfs/2013-July/028467.html
>>>
>>> Basically, the discussion we are current
On 07/29/2013 03:51 PM, Dave Chinner wrote:
> [ cc xfs list ]
>
> On Mon, Jul 29, 2013 at 03:17:06PM +0800, Gao feng wrote:
>> On 02/19/2013 09:55 AM, Dave Chinner wrote:
>>> On Sun, Feb 17, 2013 at 05:10:58PM -0800, Eric W. Biederman wrote:
>>>> From: "Er
On 07/29/2013 10:31 AM, Rui Xiang wrote:
> Add create_syslog_ns function to create a new ns. We
> must create a user_ns before create a new syslog ns.
> And then tie the new syslog_ns to current user_ns
> instead of original syslog_ns which comes from
> parent user_ns.
>
> Add a new syslog flag SY
On 07/29/2013 05:46 PM, Gu Zheng wrote:
> Hi Rui,
>
> On 07/29/2013 10:31 AM, Rui Xiang wrote:
>
>> Add a syslog_ns pointer to user_namespace, and make
>> syslog_ns per user_namespace, not global.
>>
>> Since syslog_ns is assigned to user_ns, we can have
>> full capabilities in new user_ns to cre
On 07/29/2013 10:31 AM, Rui Xiang wrote:
> To containerise iptables log, use ns_printk
> to report individual logs to container as
> getting syslog_ns from skb->dev->nd_net->user_ns.
>
> Signed-off-by: Rui Xiang
> ---
> include/net/netfilter/xt_log.h | 6 +-
> net/netfilter/xt_LOG.c
On 02/19/2013 09:55 AM, Dave Chinner wrote:
> On Sun, Feb 17, 2013 at 05:10:58PM -0800, Eric W. Biederman wrote:
>> From: "Eric W. Biederman"
>>
>> - Convert the userspace value in fa->fsx_projid into a kprojid and
>> store it in the variable projid.
>> - Verify that xfs can store the projid aft
On 06/21/2013 11:48 AM, Gao feng wrote:
> On 06/20/2013 09:02 PM, Eric Paris wrote:
>> On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote:
>>> On 06/20/2013 04:51 AM, Eric Paris wrote:
>>>> On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
>>>>
On 06/24/2013 07:34 PM, Pablo Neira Ayuso wrote:
> On Mon, Jun 24, 2013 at 05:52:08PM +0800, Gao feng wrote:
>> On 06/24/2013 05:41 PM, George Spelvin wrote:
>>>> Please try the patch below,
>>>> I think this bug is introduced by me :(
>>>>
>>&g
On 06/25/2013 06:17 AM, George Spelvin wrote:
>>> Reported-by: Borislav Petkov
>
>> This should be:
>>
>> Reported-by: George Spelvin
>>
>> I only connected the dots...
>
> Well, you did a whole lot more than me! I just lobbed a "d'oh, it
> crashes" into the seething ocean of lkml. (Admittedl
t; in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
>From f22cb6a9a52497364605c25930ba470ee180ca58 Mon Sep 17 00:00:00 2001
From: Gao feng
Date: Mon, 24 Jun 2
iable timing
> during init script processing.
>
Hi George,
Please try the patch below,
I think this bug is introduced by me :(
Thanks!
>From f12c9178b881e0b21efd37b10a33059fd0544a40 Mon Sep 17 00:00:00 2001
From: Gao feng
Date: Mon, 24 Jun 2013 17:04:02 +0800
Subject: [PATCH] netfilter: ipt_
On 06/21/2013 06:01 AM, Eric W. Biederman wrote:
> Gao feng writes:
>
>> On 06/20/2013 11:02 AM, Gao feng wrote:
>>> If we don't tie audit to user namespace, there is still one problem.
>>
>> One more problem. some audit messages are generated by some net
On 06/20/2013 09:02 PM, Eric Paris wrote:
> On Thu, 2013-06-20 at 11:02 +0800, Gao feng wrote:
>> On 06/20/2013 04:51 AM, Eric Paris wrote:
>>> On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
>>>> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote
On 06/20/2013 05:03 AM, Eric W. Biederman wrote:
> Eric Paris writes:
>
>> On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
>>> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote:
>>>> This patchset is first part of namespace support for audit.
On 06/20/2013 11:02 AM, Gao feng wrote:
> If we don't tie audit to user namespace, there is still one problem.
One more problem. some audit messages are generated by some net subsystem
such as netfilter. If we don't tie audit to user namespace, we have no
idea where these audit messa
On 06/20/2013 04:51 AM, Eric Paris wrote:
> On Wed, 2013-06-19 at 16:49 -0400, Aristeu Rozanski wrote:
>> On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote:
>>> This patchset is first part of namespace support for audit.
>>> in this patchset, the mainly res
Remove it.
Signed-off-by: Gao feng
---
kernel/audit.c | 7 ---
1 file changed, 7 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index ad3084c..843e7a2 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1067,13 +1067,6 @@ static void wait_for_auditd(unsigned long sleep_time
Setting audit_failure to AUDIT_FAIL_PANIC may
cause system panic.
We should disallow uninit user namesapce to change it.
Signed-off-by: Gao feng
---
kernel/audit.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index 306231d..79a8b8e 100644
--- a/kernel
Prevent un-init user namespace from generating lots of skb.
Signed-off-by: Gao feng
---
kernel/audit.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index 79a8b8e..297ac6e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -303,6 +303,9 @@ static int
This patch makes kauditd_task per user namespace,
Since right now we only allow user in init user
namesapce to send audit netlink message to kernel,
so actually the kauditd_task belongs to other user
namespace will still not run.
Signed-off-by: Gao feng
---
include/linux/audit.h | 1
After this patch, ervery user namespace has one
audit_skb_queue. Since we havn't finish the preparations,
only allow user to operate the skb queue of init user
namespace.
Signed-off-by: Gao feng
---
include/linux/audit.h | 4
include/linux/user_namespace.h | 2 ++
kernel/au
: Gao feng
---
include/linux/user_namespace.h | 1 +
kernel/audit.c | 7 +++
kernel/auditsc.c | 5 -
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 9972f0f..a2c0a79 100644
--- a
After this patch, audit netlink sockets can
communicate with each other when they belong
to the same user namespace.
Signed-off-by: Gao feng
---
kernel/audit.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/kernel/audit.c b/kernel/audit.c
index 11b56b7..a411b02 100644
--- a/kernel
1 - 100 of 220 matches
Mail list logo
