Hi,
I have a problem with the error management of add_disk() and del_gendisk().
add_disk() adds an entry in /sys/block/. The filename in /sys/block is
not (struct gen_disk)->disk_name but more or less the first KOBJ_NAME_LEN
characters of (struct gen_disk)->disk_name.
#define KOBJ_NAME_LEN
Le Tue, 24 Jul 2007 14:28:05 +0100,
Al Viro <[EMAIL PROTECTED]> a écrit :
>On Tue, Jul 24, 2007 at 01:57:53PM +0200, Alban Crequy wrote:
>> Hi,
>>
>> I have a problem with the error management of add_disk() and
>> del_gendisk().
>>
>> add_disk() add
Hi,
On 14 July 2016 at 20:20, Andrey Vagin wrote:
> Each namespace has an owning user namespace and now there is not way
> to discover these relationships.
>
> Pid and user namepaces are hierarchical. There is no way to discover
> parent-child relationships too.
>
> Why we may want to know relati
From: Alban Crequy
The act of a process creating or joining a namespace via clone(),
unshare() or setns() is a useful signal for monitoring applications.
I am working on a monitoring application that keeps track of all the
containers and all processes inside each container. The current way of
On 12 September 2016 at 23:39, Evgeniy Polyakov wrote:
> Hi everyone
>
> 08.09.2016, 18:39, "Alban Crequy" :
>> The act of a process creating or joining a namespace via clone(),
>> unshare() or setns() is a useful signal for monitoring applications.
>
>>
Hi,
I'm reporting an issue in overlay fs that was introduced in v4.2 (it
worked on v4.1): when overlay fs is mounted inside a overlay fs, I get
a "no such device or address" error (ENXIO) during open(). After
adding some debug printks, I found that the ENXIO comes from
fs/inode.c:no_open().
The b
On 12 October 2015 at 15:50, Miklos Szeredi wrote:
> On Wed, Oct 07, 2015 at 02:23:23PM +0200, Alban Crequy wrote:
>> Hi,
>>
>> I'm reporting an issue in overlay fs that was introduced in v4.2 (it
>> worked on v4.1): when overlay fs is mounted inside a overlay f
On Thu, Jan 18, 2018 at 10:25 PM, Mimi Zohar wrote:
> On Tue, 2018-01-16 at 16:10 +0100, Alban Crequy wrote:
>> From: Alban Crequy
>>
>> This patch forces files to be re-measured, re-appraised and re-audited
>> on file systems with the feature flag FS_NO_IMA_CA
On Fri, Jan 19, 2018 at 5:56 PM, Mimi Zohar wrote:
> On Fri, 2018-01-19 at 11:35 +0100, Alban Crequy wrote:
>> On Thu, Jan 18, 2018 at 10:25 PM, Mimi Zohar
>> wrote:
>> > On Tue, 2018-01-16 at 16:10 +0100, Alban Crequy wrote:
>> >> From: Alban Crequy
>&
From: Alban Crequy
This new fs_type flag FS_IMA_NO_CACHE means files should be re-measured,
re-appraised and re-audited each time. Cached integrity results should
not be used.
It is useful in FUSE because the userspace FUSE process can change the
underlying files at any time without notifying
om/linux-kernel@vger.kernel.org/msg1587678.html
- rename flag to FS_IMA_NO_CACHE
- split patch into 2
The patchset is also available in our github repo:
https://github.com/kinvolk/linux/tree/alban/fuse-flag-ima-nocache-v3
Alban Crequy (2):
fuse: introduce new fs_type flag FS_IMA_NO_CACHE
From: Alban Crequy
This patch forces files to be re-measured, re-appraised and re-audited
on file systems with the feature flag FS_IMA_NO_CACHE. In that way,
cached integrity results won't be used.
How to test this:
The test I did was using a patched version of the memfs FUSE driver
[1][2
[Adding Tejun, David, Tom for question about cuse]
On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park wrote:
> From: Seth Forshee
>
> In order to support mounts from namespaces other than
> init_user_ns, fuse must translate uids and gids to/from the
> userns of the process servicing requests on /dev/f
On Wed, Jan 17, 2018 at 3:29 PM, Seth Forshee
wrote:
> On Wed, Jan 17, 2018 at 11:59:06AM +0100, Alban Crequy wrote:
>> [Adding Tejun, David, Tom for question about cuse]
>>
>> On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park wrote:
>> > From: Seth Forshee
>> &g
On Wed, Jan 17, 2018 at 8:31 PM, Seth Forshee
wrote:
> On Wed, Jan 17, 2018 at 07:56:59PM +0100, Alban Crequy wrote:
>> On Wed, Jan 17, 2018 at 3:29 PM, Seth Forshee
>> wrote:
>> > On Wed, Jan 17, 2018 at 11:59:06AM +0100, Alban Crequy wrote:
>> >> [Adding
On Tue, Jan 9, 2018 at 4:05 PM, Dongsu Park wrote:
> Hi,
>
> On Mon, Dec 25, 2017 at 8:05 AM, Eric W. Biederman
> wrote:
>> Dongsu Park writes:
>>
>>> This patchset v5 is based on work by Seth Forshee and Eric Biederman.
>>> The latest patchset was v4:
>>> https://www.mail-archive.com/linux-kern
From: Alban Crequy
This patch forces files to be re-measured, re-appraised and re-audited
on file systems with the feature flag FS_NO_IMA_CACHE. In that way,
cached integrity results won't be used.
For now, only FUSE filesystems use this flag. This is because the
userspace FUSE proces
On Tue, Jan 16, 2018 at 11:41 AM, Alban Crequy wrote:
> From: Alban Crequy
>
> This patch forces files to be re-measured, re-appraised and re-audited
> on file systems with the feature flag FS_NO_IMA_CACHE. In that way,
> cached integrity results won't be used.
>
> For
From: Alban Crequy
This patch forces files to be re-measured, re-appraised and re-audited
on file systems with the feature flag FS_NO_IMA_CACHE. In that way,
cached integrity results won't be used.
For now, this patch adds the new flag only FUSE filesystems. This is
needed because the user
bytes = 8, handle_type = 1
> cgroup_id = 0x106b2
> // the below command to get cgroup_id from the kernel for the
> // process compiled with t.c and ran under /home/yhs/tmp/yhs:
> $ sudo ./trace.py -p 4067 '__x64_sys_nanosleep "cgid = %llx", $cgid'
> PID TID COMMFUNC
From: Alban Crequy
bpf_get_current_cgroup_ino() allows BPF trace programs to get the inode
of the cgroup where the current process resides.
My use case is to get statistics about syscalls done by a specific
Kubernetes container. I have a tracepoint on raw_syscalls/sys_enter and
a BPF map
On Thu, 31 May 2018 at 16:52, Tycho Andersen wrote:
>
> The idea here is that the userspace handler should be able to pass an fd
> back to the trapped task, for example so it can be returned from socket().
>
> I've proposed one API here, but I'm open to other options. In particular,
> this only le
mp; unshare
-U -r -p -m -f mount -t proc proc /proc && echo ok"
mount: /proc: permission denied.
(this patch does not support /proc/cmdline as hideable)
$ sudo unshare -p -f -m sh -c "mount --bind /dev/null /proc/kcore && unshare -U
-r -p -m -f mount -t proc proc /proc
Hi,
With the addfd feature (added in “seccomp: Introduce addfd ioctl to
seccomp user notifier”, commit 7cf97b125455), the new file is
installed in the target process during the SECCOMP_IOCTL_NOTIF_ADDFD
operation and not at the end with the SECCOMP_IOCTL_NOTIF_SEND
operation. This can cause race c
/proc//cgroup contains one cgroup path on each line. If cgroup names are
allowed to contain "\n", applications cannot parse /proc//cgroup safely.
I use < 0x20 as seen in vfat_bad_char; is it safe to use isprint()?
Signed-off-by: Alban Crequy
---
kernel/cgroup.c | 19 ++
/proc//cgroup contains one cgroup path on each line. If cgroup names are
allowed to contain "\n", applications cannot parse /proc//cgroup safely.
Signed-off-by: Alban Crequy
---
v2: Fixed according to comments from Tejun Heo: only reject '\n'
kernel/cgroup.c | 5
Hi,
Thanks for the patches!
On 8 December 2015 at 00:06, wrote:
> Hi,
>
> following is a revised set of the CGroup Namespace patchset which Aditya
> Kali has previously sent. The code can also be found in the cgroupns.v6
> branch of
>
> https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux
Hi,
On 29 January 2016 at 09:54, wrote:
> Hi,
>
> following is a revised set of the CGroup Namespace patchset which Aditya
> Kali has previously sent. The code can also be found in the cgroupns.v10
> branch of
>
> https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux-security.git/
>
> To su
Hello,
Thanks for updating the man page.
On 12 December 2014 at 22:54, Eric W. Biederman wrote:
(...)
> Furthermore to preserve in some form the useful applications that have
> been setting gid_map without privilege the file /proc/[pid]/setgroups
> was added to allow disabling setgroups. With t
From: Alban Crequy
bpftool has support for attach types "stream_verdict" and
"stream_parser" but the documentation was referring to them with
"skb_verdict" and "skb_parse". The inconsistency comes from commit
b7d3826c2ed6 ("bpf: bpftool, add support
On Mon, Feb 11, 2019 at 2:26 PM Quentin Monnet
wrote:
>
> 2019-02-11 13:54 UTC+0100 ~ Alban Crequy
> > From: Alban Crequy
> >
> > bpftool has support for attach types "stream_verdict" and
> > "stream_parser" but the documentation was referring t
From: Alban Crequy
bpftool has support for attach types "stream_verdict" and
"stream_parser" but the documentation was referring to them as
"skb_verdict" and "skb_parse". The inconsistency comes from commit
b7d3826c2ed6 ("bpf: bpftool, add support
From: Alban Crequy
trie_delete_elem() was deleting an entry even though it was not matching
if the prefixlen was correct. This patch adds a check on matchlen.
Reproducer:
$ sudo bpftool map create /sys/fs/bpf/mylpm type lpm_trie key 8 value 1 entries
128 name mylpm flags 1
$ sudo bpftool map
On Thu, Feb 21, 2019 at 11:24 PM Martin Lau wrote:
>
> On Thu, Feb 21, 2019 at 05:39:26PM +0100, Alban Crequy wrote:
> > From: Alban Crequy
> >
> > trie_delete_elem() was deleting an entry even though it was not matching
> > if the prefixlen was correct. This
From: Alban Crequy
trie_delete_elem() was deleting an entry even though it was not matching
if the prefixlen was correct. This patch adds a check on matchlen.
Reproducer:
$ sudo bpftool map create /sys/fs/bpf/mylpm type lpm_trie key 8 value 1 entries
128 name mylpm flags 1
$ sudo bpftool map
f6b425f932
On Fri, Feb 22, 2019 at 2:19 PM Alban Crequy wrote:
>
> From: Alban Crequy
>
> trie_delete_elem() was deleting an entry even though it was not matching
> if the prefixlen was correct. This patch adds a check on matchlen.
>
> Reproducer:
>
> $ sudo bpftool map c
From: Alban Crequy
Using a file descriptor passed by the parent process enables
applications to fork a bpftool command to inspect a map they know by
file descriptor even when they don't support bpffs or map ids.
Documentation and bash completion updated as well.
Signed-off-by: Alban C
From: Alban Crequy
Before this patch, there was no way to fill attr.inner_map_fd, necessary
for array_of_maps or hash_of_maps.
This patch adds keyword 'innermap' to pass the innermap, either as an id
or as a pinned map.
Example of commands:
$ sudo bpftool map create /sys/fs/bpf/inn
ue, Mar 5, 2019 at 6:32 PM Jakub Kicinski
wrote:
>
> On Tue, 5 Mar 2019 17:38:03 +0100, Alban Crequy wrote:
> > From: Alban Crequy
> >
> > Before this patch, there was no way to fill attr.inner_map_fd, necessary
> > for array_of_maps or hash_of_maps.
> >
>
On Sat, Sep 29, 2018 at 12:35 PM Aleksa Sarai wrote:
>
> The need for some sort of control over VFS's path resolution (to avoid
> malicious paths resulting in inadvertent breakouts) has been a very
> long-standing desire of many userspace applications. This patchset is a
> revival of Al Viro's old
On Mon, May 14, 2018 at 9:38 PM, Y Song wrote:
>
> On Sun, May 13, 2018 at 10:33 AM, Alban Crequy wrote:
> > From: Alban Crequy
> >
> > bpf_get_current_cgroup_ino() allows BPF trace programs to get the inode
> > of the cgroup where the current process resides.
On 14 January 2017 at 15:15, Kirill Tkhai wrote:
> For correct checkpointing/restoring of a task from userspace
> it's need to know the task's pid_ns_for_children. Currently,
> there is no a sane way to do that (the only possible trick
> is to force the task create a new child and to analize the
>
Hi,
> Currently, there is no trivial mechanism to analyze events based on
> containers. perf -G can be used, but it will not filter events for the
> containers created after perf is invoked, making it difficult to assess/
> analyze performance issues of multiple containers at once.
>
> This patch-
On 29 January 2016 at 09:54, wrote:
> Hi,
>
> following is a revised set of the CGroup Namespace patchset which Aditya
> Kali has previously sent. The code can also be found in the cgroupns.v10
> branch of
>
> https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux-security.git/
>
> To summari
Hi,
On 7 December 2015 at 23:38, Tejun Heo wrote:
> This patch implements xt_cgroup path match which matches cgroup2
> membership of the associated socket. The match is recursive and
> invertible.
Is there any plans to implement a similar cgroup2 path match in a
cgroup classifier in tc?
I wonde
From: Alban Crequy
This adds the selftest "cgroupns_test" in order to test the CGroup
Namespace patchset.
cgroupns_test creates two child processes. They perform a list of
actions defined by the array cgroupns_test. This array can easily be
extended to more scenarios without adding
From: Alban Crequy
This adds the selftest "cgroupns_test" in order to test the CGroup
Namespace patchset.
cgroupns_test creates two child processes. They perform a list of
actions defined by the array cgroupns_test. This array can easily be
extended to more scenarios without adding
Hi,
I tested the patches on top of 5.10.0-rc3+ and I could mount an NFS
share with a different user namespace. fsopen() is done in the
container namespaces (user, mnt and net namespaces) while fsconfig(),
fsmount() and move_mount() are done on the host namespaces. The mount
on the host is availabl
ovisor/bcc/issues/1072
Signed-off-by: Alban Crequy
---
Documentation/trace/kprobetrace.txt | 4 +++-
kernel/trace/trace_kprobe.c | 34 +-
2 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/Documentation/trace/kprobetrace.txt
b/Documenta
Thanks for the review,
On Tue, Mar 28, 2017 at 5:23 PM, Masami Hiramatsu wrote:
> On Tue, 28 Mar 2017 15:52:22 +0200
> Alban Crequy wrote:
>
>> When a kretprobe is installed on a kernel function, there is a maximum
>> limit of how many calls in parallel it can catch
From: Alban Crequy
When a kretprobe is installed on a kernel function, there is a maximum
limit of how many calls in parallel it can catch (aka "maxactive"). A
kernel module could call register_kretprobe() and initialize maxactive
(see example in samples/kprobes/kretprobe_example.c).
On Thu, Mar 30, 2017 at 8:53 AM, Ingo Molnar wrote:
>
> * Masami Hiramatsu wrote:
>
>> > So this is something I missed while the original code was merged, but the
>> > concept
>> > looks a bit weird: why do we do any "allocation" while a handler is
>> > executing?
>> >
>> > That's fundamentally
d-off-by: Masami Hiramatsu
I tested this patch with my kretprobe on "inet_csk_accept" when there
are many processes waiting in the accept() syscall. I can now
successfully see the nmissed counter in
/sys/kernel/debug/tracing/kprobe_profile being incremented when the
kretprobe
nsupported: 0
> # of xfailed: 0
> # of undefined(test bug): 0
BugLink: https://github.com/iovisor/bcc/issues/1072
Signed-off-by: Alban Crequy
---
Changes since v1:
- Remove "(*)" from documentation. (Review from Masami Hiramatsu)
- Fix support for "r100" without th
On Fri, Feb 2, 2018 at 5:10 PM, Miklos Szeredi wrote:
> On Fri, Feb 2, 2018 at 4:33 PM, Mimi Zohar wrote:
>> On Fri, 2018-02-02 at 10:20 -0500, Mimi Zohar wrote:
>>> Hi Miklos,
>>>
>>> On Tue, 2018-01-30 at 19:06 +0100, Dongsu Park wrote:
>>> >
Hi Mickaël,
On 21 August 2017 at 02:09, Mickaël Salaün wrote:
> Add a basic sandbox tool to create a process isolated from some part of
> the system. This sandbox create a read-only environment. It is only
> allowed to write to a character device such as a TTY:
...
> + /*
> +* This
://github.com/kinvolk/linux.git alban/proc_ns_connector-v2-5
Alban Crequy (2):
proc connector: add namespace events
proc connector: add a "get feature" op
drivers/connector/cn_proc.c | 163 ---
include/linux/cn_proc.h | 25 +++
include/
From: Alban Crequy
The act of a process creating or joining a namespace via clone(),
unshare() or setns() is a useful signal for monitoring applications.
I am working on a monitoring application that keeps track of all the
containers and all processes inside each container. The current way of
From: Alban Crequy
As more kinds of events are being added in the proc connector, userspace
needs a way to detect whether the kernel supports those new events.
When a kind of event is not supported, userspace should report an error
propertly, or fallback to other methods (regular polling of
59 matches
Mail list logo
