On 10/22/19 11:54 PM, Amir Goldstein wrote:
On Tue, Oct 22, 2019 at 11:45 PM Mark Salyzyn wrote:
Patch series:
Mark Salyzyn (5):
Add flags option to get xattr method paired to __vfs_getxattr
overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh
overlayfs: handle
access permissions and report back to the logs and
the caller that the target context was blocked.
For selinux this would solve the cosmetic issue of the selinux log
and allow audit2allow to correctly report the rule needed to address
the access problem.
Signed-off-by: Mark Salyzyn
Cc: Miklos Sze
d
in other filesystems for their own internal trusted xattr management.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux
Assumption never checked, should fail if the mounter creds are not
sufficient.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc
uld be fixed for
completeness and for general use in time.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Patch series:
Mark Salyzyn (5):
Add flags option to get xattr method paired to __vfs_getxattr
overlayfs: check CAP_DAC_READ_SEARCH before issuing exportfs_decode_fh
overlayfs: handle XATTR_NOSECURITY flag for get xattr method
overlayfs: internal getxattr operations without sepolicy
d
in other filesystems for their own internal trusted xattr management.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux
uld be fixed for
completeness and for general use in time.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc@vger.kernel.org
er that the target context was blocked.
For selinux this would solve the cosmetic issue of the selinux log
and allow audit2allow to correctly report the rule needed to address
the access problem.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. B
Assumption never checked, should fail if the mounter creds are not
sufficient.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc
tem will be only the
caller's credentials. The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/overlay_creds
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan
On 7/30/19 8:55 AM, Stephen Smalley wrote:
On 7/26/19 2:30 PM, Mark Salyzyn wrote:
On 7/25/19 10:04 PM, Amir Goldstein wrote:
On Thu, Jul 25, 2019 at 7:22 PM Mark Salyzyn
wrote:
On 7/25/19 8:43 AM, Amir Goldstein wrote:
On Thu, Jul 25, 2019 at 6:03 PM Mark Salyzyn
wrote:
On 7/24/19 10:48
uld be fixed for
completeness and for general use in time.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc@vger.kernel.org
d
in other filesystems for their own internal trusted xattr management.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux
option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/overlay_creds
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy
Assumption never checked, should fail if the mounter creds are not
sufficient.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc
On 7/25/19 10:04 PM, Amir Goldstein wrote:
On Thu, Jul 25, 2019 at 7:22 PM Mark Salyzyn wrote:
On 7/25/19 8:43 AM, Amir Goldstein wrote:
On Thu, Jul 25, 2019 at 6:03 PM Mark Salyzyn wrote:
On 7/24/19 10:48 PM, Amir Goldstein wrote:
On Wed, Jul 24, 2019 at 10:57 PM Mark Salyzyn wrote
On 7/25/19 8:43 AM, Amir Goldstein wrote:
On Thu, Jul 25, 2019 at 6:03 PM Mark Salyzyn wrote:
On 7/24/19 10:48 PM, Amir Goldstein wrote:
On Wed, Jul 24, 2019 at 10:57 PM Mark Salyzyn wrote:
Because of the overlayfs getxattr recursion, the incoming inode fails
to update the selinux sid
On 7/24/19 10:48 PM, Amir Goldstein wrote:
On Wed, Jul 24, 2019 at 10:57 PM Mark Salyzyn wrote:
Because of the overlayfs getxattr recursion, the incoming inode fails
to update the selinux sid resulting in avc denials being reported
against a target context of u:object_r:unlabeled:s0.
This
On 7/24/19 11:14 PM, Amir Goldstein wrote:
+void ovl_revert_creds(const struct cred *old_cred)
+{
+ if (old_cred)
+ revert_creds(old_cred);
+}
+
Mark,
Not sure if you have seen my "shutdown" patches:
https://lore.kernel.org/linux-fsdevel/20190715133839.9878-4-amir7...@gmail.
Thanks for the review.
On 7/25/19 4:00 AM, Amir Goldstein wrote:
On Wed, Jul 24, 2019 at 10:57 PM Mark Salyzyn wrote:
Check impure, opaque, origin & meta xattr with no sepolicy audit
(using __vfs_getxattr) since these operations are internal to
overlayfs operations and do not disclose
in, rather than being denied
with an -EACCES when vfs_getxattr handler is called.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc
uld be fixed for
completeness and for general use in time.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Assumption never checked, should fail if the mounter creds are not
sufficient.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc
heck can be expensive.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Cc: linux-ker...@vger.kernel.org
Cc: kern
Add an optional __get xattr method that would be called, if set, only
in __vfs_getxattr instead of the regular get xattr method.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
credentials. The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/overlay_creds
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biede
On 11/09/2018 11:51 PM, Amir Goldstein wrote:
On Fri, Nov 9, 2018 at 7:32 PM Mark Salyzyn wrote:
On 11/08/2018 07:05 PM, Amir Goldstein wrote:
Mark,
I have some Android internals background, so I have a general
understanding of the
use case, but I can understand why people have a hard time
On 11/08/2018 07:05 PM, Amir Goldstein wrote:
On Thu, Nov 8, 2018 at 11:28 PM Mark Salyzyn wrote:
On 11/08/2018 12:01 PM, Vivek Goyal wrote:
On Tue, Nov 06, 2018 at 03:01:15PM -0800, Mark Salyzyn wrote:
By default, all access to the upper, lower and work directories is the
recorded mounter&#
uld be fixed for
completeness and for general use in time.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Assumption never checked, should fail if the mounter creds are not
sufficient.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc
a minimal MAC set of privileges to reduce any attack surface,
and services that use the content have a different set of MAC
privileges (eg: read, for vendor labelled configuration, execute for
vendor libraries and modules).
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc:
Assumption never checked, should fail if the mounter creds are not
sufficient.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc
On 11/06/2018 12:39 AM, Miklos Szeredi wrote:
On Mon, Nov 5, 2018 at 7:47 PM, Amir Goldstein wrote:
On Mon, Nov 5, 2018 at 8:22 PM Mark Salyzyn wrote:
@@ -1549,7 +1569,8 @@ static int ovl_fill_super(struct super_block *sb, void
*data, int silent)
ovl_dentry_lower
Assumption never checked, should fail if the mounter creds are not
sufficient.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc
ions; all
subsequent operations after mount on the filesystem will be only the
caller's credentials. The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/overlay_creds.
Signed-off-b
ions; all
subsequent operations after mount on the filesystem will be only the
caller's credentials. The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/overlay_creds.
Signed-off-b
credentials. The module boolean parameter and mount option
override_creds is also added as a presence check for this "feature",
existence of /sys/module/overlay/parameters/overlay_creds
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W
Assumption never checked, should fail if the mounter creds are not
sufficient.
Signed-off-by: Mark Salyzyn
Cc: Miklos Szeredi
Cc: Jonathan Corbet
Cc: Vivek Goyal
Cc: Eric W. Biederman
Cc: Amir Goldstein
Cc: Randy Dunlap
Cc: Stephen Smalley
Cc: linux-unio...@vger.kernel.org
Cc: linux-doc
On 09/15/2017 06:28 AM, Petr Mladek wrote:
I am still slightly nervous that external tools would need updating.
Also they might have troubles to interpret the time stamps especially
when the source is changed at runtime via
/sys/module/printk/parameters/time.
My comment below is a rehash/summary
On 09/05/2017 05:06 AM, Prarit Bhargava wrote:
printk.time=1/CONFIG_PRINTK_TIME=1 adds a unmodified local hardware clock
timestamp to printk messages. The local hardware clock loses time each
day making it difficult to determine exactly when an issue has occurred in
the kernel log, and making it
On 08/17/2017 06:15 AM, Prarit Bhargava wrote:
printk.time=1/CONFIG_PRINTK_TIME=1 adds a unmodified local hardware clock
timestamp to printk messages. The local hardware clock loses time each
day making it difficult to determine exactly when an issue has occurred in
the kernel log, and making it
On 08/16/2017 08:17 AM, Prarit Bhargava wrote:
. . .
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index fc47863f629c..f627a9bb97d1 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -576,6 +576,9 @@ static u32 truncate_msg(u16 *text_len, u16 *trunc_msg_len,
On 08/07/2017 08:52 AM, Prarit Bhargava wrote:
diff --git a/arch/arm/configs/aspeed_g4_defconfig
b/arch/arm/configs/aspeed_g4_defconfig
index cfc2465e8b77..5f3c50914e92 100644
--- a/arch/arm/configs/aspeed_g4_defconfig
+++ b/arch/arm/configs/aspeed_g4_defconfig
@@ -162,7 +162,7 @@ CONFIG_JFFS2_F
On 08/03/2017 06:18 PM, Prarit Bhargava wrote:
+ /*
+* Only allow enabling and disabling of the current printk_time
+* setting. Changing it from one setting to another confuses
+* userspace.
+*/
We should allow a debug option to permit this (but that can be
On 08/03/2017 06:18 PM, Prarit Bhargava wrote:
diff --git a/arch/arm/configs/aspeed_g4_defconfig
b/arch/arm/configs/aspeed_g4_defconfig
index cfc2465e8b77..6c73c305ad17 100644
--- a/arch/arm/configs/aspeed_g4_defconfig
+++ b/arch/arm/configs/aspeed_g4_defconfig
@@ -162,7 +162,9 @@ CONFIG_JFFS2_
a reason your not also adding PRINTK_TIME_BOOT here (which to
me would be more generally useful then REAL or MONO)?
REAL has been useful to me in debug cases where events on the system were timed
to the wall clock (ex cron job running at 3AM). I hadn't really thought much
about using BOOT TBH
On 07/25/2017 06:00 AM, Peter Zijlstra wrote:
On Tue, Jul 25, 2017 at 08:17:27AM -0400, Prarit Bhargava wrote:
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 5b1662ec546f..6cd38a25f8ea 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1,8 +1,8 @@
menu "printk and dmesg optio
When CONFIG_MMC_SIMULATE_MAX_SPEED is enabled, Expose max_read_speed,
max_write_speed and cache_size default module parameters and sysfs
controls to simulate a slow eMMC device. Default values are 0 (off),
0 (off) and 4 MB respectively.
Signed-off-by: Mark Salyzyn
---
changes in v2: change from
On 03/16/2016 06:03 AM, Ulf Hansson wrote:
On 22 February 2016 at 18:18, Mark Salyzyn wrote:
When CONFIG_MMC_SIMULATE_MAX_SPEED is enabled, Expose max_read_speed,
max_write_speed and cache_size sysfs controls to simulate a slow
eMMC device. The boot default values, should one wish to set this
CONFIG_MMC_SIMULATE_MAX_WRITE_SPEED
CONFIG_MMC_SIMULATE_CACHE_SIZE
respectively; and if not defined are 0 (off), 0 (off) and 4 MB
also respectively.
Signed-off-by: Mark Salyzyn
---
changes in v2: change from CONFIG_MMC_BLOCK_MAX_SPEED to
CONFIG_MMC_SIMULATE_MAX_SPEED. Add documentation.
Documentation/block/00-INDEX
52 matches
Mail list logo
