Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Serge E. Hallyn
Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > On Fri, 2016-05-20 at 14:59 -0500, Serge E. Hallyn wrote: > > Quoting Eric W. Biederman (ebied...@xmission.com): > > > "Serge E. Hallyn" writes: > > > > > > > Quoting Eric W. Biederman (ebied...@xmission.com): > > > >> Mimi Zohar

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Serge E. Hallyn
Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > On Fri, 2016-05-20 at 14:59 -0500, Serge E. Hallyn wrote: > > Quoting Eric W. Biederman (ebied...@xmission.com): > > > "Serge E. Hallyn" writes: > > > > > > > Quoting Eric W. Biederman (ebied...@xmission.com): > > > >> Mimi Zohar writes: > > > >>

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Mimi Zohar
On Fri, 2016-05-20 at 14:59 -0500, Serge E. Hallyn wrote: > Quoting Eric W. Biederman (ebied...@xmission.com): > > "Serge E. Hallyn" writes: > > > > > Quoting Eric W. Biederman (ebied...@xmission.com): > > >> Mimi Zohar writes: > > >> > > >> > On

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Mimi Zohar
On Fri, 2016-05-20 at 14:59 -0500, Serge E. Hallyn wrote: > Quoting Eric W. Biederman (ebied...@xmission.com): > > "Serge E. Hallyn" writes: > > > > > Quoting Eric W. Biederman (ebied...@xmission.com): > > >> Mimi Zohar writes: > > >> > > >> > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Serge E. Hallyn
Quoting Eric W. Biederman (ebied...@xmission.com): > "Serge E. Hallyn" writes: > > > Quoting Eric W. Biederman (ebied...@xmission.com): > >> Mimi Zohar writes: > >> > >> > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: > >> >> Quoting Mimi

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Serge E. Hallyn
Quoting Eric W. Biederman (ebied...@xmission.com): > "Serge E. Hallyn" writes: > > > Quoting Eric W. Biederman (ebied...@xmission.com): > >> Mimi Zohar writes: > >> > >> > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: > >> >> Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > >> >> >

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Eric W. Biederman
"Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> Mimi Zohar writes: >> >> > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: >> >> Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): >> >> > On Wed, 2016-05-18 at

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Eric W. Biederman
"Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> Mimi Zohar writes: >> >> > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: >> >> Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): >> >> > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: >> > >>

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Serge E. Hallyn
Quoting Eric W. Biederman (ebied...@xmission.com): > Mimi Zohar writes: > > > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: > >> Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > >> > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > > > >> > > diff

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Serge E. Hallyn
Quoting Eric W. Biederman (ebied...@xmission.com): > Mimi Zohar writes: > > > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: > >> Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > >> > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > > > >> > > diff --git a/fs/xattr.c

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Eric W. Biederman
Mimi Zohar writes: > On Fri, 2016-05-20 at 13:28 -0500, Eric W. Biederman wrote: >> Mimi Zohar writes: >> >> > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: >> >> Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): >> >> > On Wed,

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Eric W. Biederman
Mimi Zohar writes: > On Fri, 2016-05-20 at 13:28 -0500, Eric W. Biederman wrote: >> Mimi Zohar writes: >> >> > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: >> >> Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): >> >> > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: >> >

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Mimi Zohar
On Fri, 2016-05-20 at 13:28 -0500, Eric W. Biederman wrote: > Mimi Zohar writes: > > > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: > >> Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > >> > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > > > >>

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Mimi Zohar
On Fri, 2016-05-20 at 13:28 -0500, Eric W. Biederman wrote: > Mimi Zohar writes: > > > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: > >> Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > >> > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > > > >> > > diff --git

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Eric W. Biederman
Mimi Zohar writes: > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: >> Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): >> > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > >> > > diff --git a/fs/xattr.c b/fs/xattr.c >> > > index 4861322..5c0e7ae

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Eric W. Biederman
Mimi Zohar writes: > On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: >> Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): >> > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > >> > > diff --git a/fs/xattr.c b/fs/xattr.c >> > > index 4861322..5c0e7ae 100644 >> > > ---

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Mimi Zohar
On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: > Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > > > diff --git a/fs/xattr.c b/fs/xattr.c > > > index 4861322..5c0e7ae 100644 > > > --- a/fs/xattr.c > > > +++ b/fs/xattr.c > >

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-20 Thread Mimi Zohar
On Thu, 2016-05-19 at 22:40 -0500, Serge E. Hallyn wrote: > Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > > > diff --git a/fs/xattr.c b/fs/xattr.c > > > index 4861322..5c0e7ae 100644 > > > --- a/fs/xattr.c > > > +++ b/fs/xattr.c > >

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-19 Thread Serge E. Hallyn
Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > > This patch introduces a new security.nscapability xattr. It > > is mostly like security.capability, but also lists a 'rootid'. > > This is the uid_t (in init_user_ns) of the root id (uid

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-19 Thread Serge E. Hallyn
Quoting Mimi Zohar (zo...@linux.vnet.ibm.com): > On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > > This patch introduces a new security.nscapability xattr. It > > is mostly like security.capability, but also lists a 'rootid'. > > This is the uid_t (in init_user_ns) of the root id (uid

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-19 Thread Mimi Zohar
On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > This patch introduces a new security.nscapability xattr. It > is mostly like security.capability, but also lists a 'rootid'. > This is the uid_t (in init_user_ns) of the root id (uid 0 in a > namespace) in whose namespaces the file

Re: [PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-19 Thread Mimi Zohar
On Wed, 2016-05-18 at 16:57 -0500, Serge E. Hallyn wrote: > This patch introduces a new security.nscapability xattr. It > is mostly like security.capability, but also lists a 'rootid'. > This is the uid_t (in init_user_ns) of the root id (uid 0 in a > namespace) in whose namespaces the file

[PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-18 Thread Serge E. Hallyn
This patch introduces a new security.nscapability xattr. It is mostly like security.capability, but also lists a 'rootid'. This is the uid_t (in init_user_ns) of the root id (uid 0 in a namespace) in whose namespaces the file capabilities may take effect. A privileged (cap_setfcap) process in

[PATCH RFC] user-namespaced file capabilities - now with more magic

2016-05-18 Thread Serge E. Hallyn
This patch introduces a new security.nscapability xattr. It is mostly like security.capability, but also lists a 'rootid'. This is the uid_t (in init_user_ns) of the root id (uid 0 in a namespace) in whose namespaces the file capabilities may take effect. A privileged (cap_setfcap) process in