***** SUSPECTED SPAM ***** Re: [PATCH v7 7/7] enable building user namespace with xfs

Dave Chinner david at fromorbit.com
Sun Aug 11 18:57:33 CDT 2013 

On Wed, Aug 07, 2013 at 02:59:30PM +0000, Serge E. Hallyn wrote:
> Quoting Dave Chinner (david at fromorbit.com):
> > On Wed, Jul 31, 2013 at 08:25:23AM -0500, Ben Myers wrote:
> > > Hey,
> > > 
> > > On Wed, Jul 31, 2013 at 10:21:19AM +1000, Dave Chinner wrote:
> > > > On Tue, Jul 30, 2013 at 06:40:21PM -0500, Ben Myers wrote:
> > > > > On Mon, Jul 29, 2013 at 11:07:09PM -0400, Dwight Engen wrote:
> > > > > > >From e6a9ee0cfa0ed40484f66bc1726dc19de36038b8 Mon Sep 17 00:00:00 2001
> > > > > > From: Dwight Engen <dwight.engen at oracle.com>
> > > > > > Date: Tue, 2 Jul 2013 09:52:54 -0400
> > > > > > Subject: [PATCH 7/7] enable building user namespace with xfs
> > > > > > 
> > > > > > Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
> > > > > 
> > > > > Was there a patch running around to limit bulkstat to init_user_ns?  Any other
> > > > > items that needed to be addressed before applying this patch?
> > > > 
> > > > Bulkstat has a capable(CAP_SYS_ADMIN) check and therefore can only be
> > > > executed in the init name space. Similarly, all the open-by-handle
> > > > interfaces have the same capable() checks so they can only be
> > > > executed int he init name space, too.
> > > 
> > > Gah.  I was under the impression that you could have a process with
> > > CAP_SYS_ADMIN in a namespace other than init_user_ns.
> > 
> > Ben, until about a week and a half ago I was also working under that
> > same understanding as you.  So don't feel bad about not knowing
> > about this basic, fundamental rule because it is completely
> > undocumented and it's not obvious to anyone reading the code until
> > someone points it out....
> 
> It's actually all documented in new manpages like namespaces(7) and
> user_namespaces(7).  Unfortunately those don't seem to have been released yet.

User facing documentation goes in man pages.

My comments about the above point at the fact that there is no
developer facing documentation that tell us how to safely and
*securely* implement namespace support in different filesystems.
Information on the architecture, design and use of internal kernel
infrastructure for kernel developers should be in the Documentation/
subdirectory of the kernel tree.

Cheers,

Dave.
-- 
Dave Chinner
david at fromorbit.com

More information about the xfs mailing list