h as this:
# mkdir mnt
# mount -t tmpfs nodev mnt
# mount -o remount,rw mnt
mount: /home/ubuntu/mnt: mount point not mounted or bad option.
Prevent CONFIG_TMPFS_INODE64 from being selected on alpha.
Fixes: ea3271f7196c ("tmpfs: support 64-bit inums per-sb")
Cc: sta...@vger.kernel.o
On Sun, Feb 07, 2021 at 05:48:31PM +0300, Kirill A. Shutemov wrote:
> On Fri, Feb 05, 2021 at 05:06:20PM -0600, Seth Forshee wrote:
> > This feature requires ino_t be 64-bits, which is true for every
> > 64-bit architecture but s390, so prevent this option from being
> > selec
This feature requires ino_t be 64-bits, which is true for every
64-bit architecture but s390, so prevent this option from being
selected there.
Fixes: ea3271f7196c ("tmpfs: support 64-bit inums per-sb")
Cc: # v5.9+
Signed-off-by: Seth Forshee
---
fs/Kconfig | 2 +-
1 file changed, 1
On Fri, Feb 05, 2021 at 01:23:13PM -0800, Andrew Morton wrote:
> On Fri, 5 Feb 2021 14:55:43 -0600 Seth Forshee
> wrote:
>
> > On Fri, Feb 05, 2021 at 12:41:57PM -0800, Andrew Morton wrote:
> > > On Fri, 5 Feb 2021 14:21:59 -0600 Seth Forshee
> > > wrote:
>
On Fri, Feb 05, 2021 at 12:41:57PM -0800, Andrew Morton wrote:
> On Fri, 5 Feb 2021 14:21:59 -0600 Seth Forshee
> wrote:
>
> > Currently there seems to be an assumption in tmpfs that 64-bit
> > architectures also have a 64-bit ino_t. This is not true; s390 at
> > lea
g to honor the CONFIG_TMPFS_INODE64 setting when
sizeof(ino_t) < 8.
Fixes: ea3271f7196c ("tmpfs: support 64-bit inums per-sb")
Signed-off-by: Seth Forshee
---
mm/shmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/shmem.c b/mm/shmem.c
index 7c6b6d8f6c39..efd
get -o /tmp/cclBz55H.s
>
> The fact that you triggered it with an Ubuntu gcc explains why the
> original patch adding that switch:
>
> 29be86d7f9cb ("kbuild: add -fcf-protection=none when using retpoline flags")
>
> came from a Canonical.
>
> Adding the author to Cc for FYI.
>
> Seth, you can find this thread starting here:
>
> https://lkml.kernel.org/r/20210128215219.6kct3h2eiustncws@treble
Thanks for the heads up. This still works fine for our needs.
Acked-by: Seth Forshee
On Wed, Dec 09, 2020 at 04:15:35PM -0800, Andrii Nakryiko wrote:
> On Wed, Dec 9, 2020 at 2:24 PM Seth Forshee
> wrote:
> >
> > Building the BPF selftests with clang 11, I'm getting the following
> > error:
> >
> >CLNG-LLC [test_maps] profiler1.o
>
Building the BPF selftests with clang 11, I'm getting the following
error:
CLNG-LLC [test_maps] profiler1.o
In file included from progs/profiler1.c:6:
progs/profiler.inc.h:260:17: error: use of unknown builtin
'__builtin_preserve_enum_value' [-Wimplicit-function-declaration]
On Thu, Sep 17, 2020 at 11:14:06AM +0200, Jiri Olsa wrote:
> On Thu, Sep 17, 2020 at 10:38:12AM +0200, Jiri Olsa wrote:
> > On Thu, Sep 17, 2020 at 10:04:55AM +0200, Jiri Olsa wrote:
> > > On Wed, Sep 16, 2020 at 02:47:33PM -0500, Seth Forshee wrote:
> > > > The requi
The requirement to build resolve_btfids whenever CONFIG_DEBUG_INFO_BTF
is enabled breaks some cross builds. For example, when building a 64-bit
powerpc kernel on amd64 I get:
Auto-detecting system features:
...libelf: [ [32mon[m ]
... zlib: [ [3
The tests in lib/test_bpf.c were all passing in 5.4 when using the JIT,
but some are failing in 5.7/5.8. Some of the failures are due to the
removal of BPF_SIZE_MAX causing some expected failures to pass, which I
have already send a patch for [1]. The remaining failures appear to be
regressions. I
should no longer be flagged.
Fixes: d1242b10ff03 ("s390/bpf: Remove JITed image size limitations")
Signed-off-by: Seth Forshee
---
lib/test_bpf.c | 20
1 file changed, 20 deletions(-)
diff --git a/lib/test_bpf.c b/lib/test_bpf.c
index a5fddf9ebcb7..ca7d635bccd9 10
Signed-off-by: Lukas Bulwahn
I didn't think to check MAINTAINERS when renaming the file. This makes
sense to me.
Acked-by: Seth Forshee
> ---
> applies cleanly on next-20200626
>
> Seth, please ack.
> Mark, please pick this minor non-urgent patch into your -next tree.
>
This module shares the same name as its parent PMIC driver, which
confuses tools like kmod. Rename the regulator driver to avoid
such problems.
Signed-off-by: Seth Forshee
---
drivers/regulator/Makefile | 2 +-
drivers/regulator/{da903x.c => da903x-regulator.c} | 0
On Fri, May 29, 2020 at 03:26:06PM -0600, Shuah Khan wrote:
> On 5/29/20 2:37 PM, Seth Forshee wrote:
> > On Wed, Mar 04, 2020 at 04:20:09PM -0600, Seth Forshee wrote:
> > > Test cases which use echo to write strings containing backslashes
> > > fail with some she
On Wed, Mar 04, 2020 at 04:20:09PM -0600, Seth Forshee wrote:
> Test cases which use echo to write strings containing backslashes
> fail with some shells, as echo's treatment of backslashes in
> strings varies between shell implementations. Use printf instead,
> as it should be
The addition of struct clone_args to uapi/linux/sched.h is not
protected by __ASSEMBLY__ guards, causing a FTBFS for glibc on
RISC-V. Add the guards to fix this.
Fixes: 7f192e3cd316 ("fork: add clone3")
Signed-off-by: Seth Forshee
---
include/uapi/linux/sched.h | 2 ++
1 file
On Thu, Aug 15, 2019 at 04:36:02PM +0200, Oleksandr Natalenko wrote:
> Hey, people.
>
> I was lurking at shiftfs just out of curiosity and managed to bump into
> a compiler warning that is (as I suppose) easily fixed by the subsequent
> patch.
>
> Feel free to drag this into your Ubuntu tree if n
enabled
prevents such build failures.
Signed-off-by: Seth Forshee
---
Makefile | 6 ++
1 file changed, 6 insertions(+)
diff --git a/Makefile b/Makefile
index 3e4868a6498b..73a94d1db2b6 100644
--- a/Makefile
+++ b/Makefile
@@ -878,6 +878,12 @@ KBUILD_CFLAGS += $(call
cc-option,-Werror
On Wed, Jul 17, 2019 at 11:52:07AM +0900, Masahiro Yamada wrote:
> On Wed, Jul 17, 2019 at 1:20 AM Josh Poimboeuf wrote:
> >
> > On Tue, Jul 16, 2019 at 07:42:49AM -0500, Seth Forshee wrote:
> > > On Tue, Jul 16, 2019 at 03:57:24PM +0900, Masahiro Yamada wrote:
&
On Tue, Jul 16, 2019 at 03:57:24PM +0900, Masahiro Yamada wrote:
> (+ Josh Poimboeuf)
>
> On Tue, Jul 16, 2019 at 8:44 AM kbuild test robot wrote:
> >
> > tree:
> > https://kernel.googlesource.com/pub/scm/linux/kernel/git/masahiroy/linux-kbuild.git
> > kbuild
> > head: 0ff0c3753e06c0420c80d
-mindirect-branch and -fcf-protection are not compatible, and
so kernel builds fail with a gcc build where -fcf-protection is
enabled by default. Add -fcf-protection=none to the retpoline
flags to fix this.
Signed-off-by: Seth Forshee
---
Makefile | 4
1 file changed, 4 insertions(+)
diff
On Tue, Feb 05, 2019 at 01:52:21PM -0500, Mimi Zohar wrote:
> On Tue, 2019-02-05 at 12:32 -0600, Seth Forshee wrote:
> > On Tue, Feb 05, 2019 at 11:47:24AM -0500, Mimi Zohar wrote:
> > > Hi Seth,
> > >
> > > On Tue, 2019-02-05 at 09:18 -0600, Seth Forshee wrote
On Tue, Feb 05, 2019 at 11:47:24AM -0500, Mimi Zohar wrote:
> Hi Seth,
>
> On Tue, 2019-02-05 at 09:18 -0600, Seth Forshee wrote:
> > On Thu, Jan 31, 2019 at 02:18:59PM -0500, Mimi Zohar wrote:
> > > Require signed kernel modules on systems with secure boot mode
On Thu, Jan 31, 2019 at 02:18:59PM -0500, Mimi Zohar wrote:
> Require signed kernel modules on systems with secure boot mode enabled.
>
> To coordinate between appended kernel module signatures and IMA
> signatures, only define an IMA MODULE_CHECK policy rule if
> CONFIG_MODULE_SIG is not enabled.
On Fri, Nov 02, 2018 at 03:16:05PM +0200, Amir Goldstein wrote:
> On Fri, Nov 2, 2018 at 2:44 PM Seth Forshee
> wrote:
> >
> > On Fri, Nov 02, 2018 at 12:02:45PM +0200, Amir Goldstein wrote:
> > > On Thu, Nov 1, 2018 at 11:49 PM Seth Forshee
> > > wrote:
&
On Fri, Nov 02, 2018 at 12:02:45PM +0200, Amir Goldstein wrote:
> On Thu, Nov 1, 2018 at 11:49 PM Seth Forshee
> wrote:
> >
> > shiftfs mounts cannot be nested for two reasons -- global
> > CAP_SYS_ADMIN is required to set up a mark mount, and a single
> > func
On Fri, Nov 02, 2018 at 10:59:38AM +0200, Amir Goldstein wrote:
> [cc: linux-unionfs
> It should the mailing list for *all* "stacking fs".
> We have a lot of common problems I think ;-) ]
>
> On Thu, Nov 1, 2018 at 11:49 PM Seth Forshee
> wrote:
> >
> >
to the watch original inode.
Signed-off-by: Seth Forshee
---
fs/shiftfs.c | 105 ++-
1 file changed, 79 insertions(+), 26 deletions(-)
diff --git a/fs/shiftfs.c b/fs/shiftfs.c
index 6028244c2f42..b179a1be7bc1 100644
--- a/fs/shiftfs.c
+++ b/fs
that is going to be
repeated.
Signed-off-by: Seth Forshee
---
fs/shiftfs.c | 30 +-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/fs/shiftfs.c b/fs/shiftfs.c
index b179a1be7bc1..556594988dd2 100644
--- a/fs/shiftfs.c
+++ b/fs/shiftfs.c
@@ -266,6 +266,33
Do not assume that ids from the lower filesystem are from
init_user_ns. Instead, translate them from that filesystem's
s_user_ns and then to the shiftfs user ns.
Signed-off-by: Seth Forshee
---
fs/shiftfs.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/shiftf
Signed-off-by: Seth Forshee
---
fs/Kconfig | 10 +++
fs/shiftfs.c | 185 +++
2 files changed, 195 insertions(+)
diff --git a/fs/Kconfig b/fs/Kconfig
index 392c5a41a9f9..691f3c4fc7eb 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -121,6 +121,16
, and the lower path has
already been marked safe for id shifting by a user privileged
towards all ids in that mount's user ns.
Signed-off-by: Seth Forshee
---
fs/shiftfs.c | 68 +++-
1 file changed, 46 insertions(+), 22 deletions(-)
diff
for path declarations to fix errors
with struct randomization ]
Signed-off-by: Seth Forshee
---
v3 - update to 4.14 (d_real changes)
v1 - based on original shiftfs with uid mappings now done via s_user_ns
v2 - fix revalidation of dentries
add inode aliasing
---
fs/Kconfig
lar some of the posix acl code).
I've also pushed these patches to:
git://git.kernel.org/pub/scm/linux/kernel/git/sforshee/linux.git shiftfs
Thanks,
Seth
[1] https://linuxplumbersconf.org/event/2/contributions/212/
---
James Bottomley (1):
shiftfs: uid/gid shifting bind mount
Seth Fors
+Cc David
On Fri, Jun 15, 2018 at 02:35:14PM -0700, James Bottomley wrote:
> This is a repost of the v2 patch updated for the d_real changes
>
> For those who want to test it out, there's a git tree here
>
> git://git.kernel.org/pub/scm/linux/kernel/git/jejb/binfmt_misc.git
>
> on the shiftfs-v
On Thu, May 24, 2018 at 11:55:45AM -0500, Eric W. Biederman wrote:
> Seth Forshee writes:
>
> > On Wed, May 23, 2018 at 06:25:34PM -0500, Eric W. Biederman wrote:
> >> These filesystems already always set SB_I_NODEV so mknod will not be
> >> useful for gaining co
nderlying filesystem which should not be allowed. That
mknod will be subject to this same check in the underlying filesystem
using the credentials of the user that mounted the overaly fs, which
should be sufficient to ensure that the mknod is permitted.
Thus this looks okay to me.
Acked-by: Seth Forshee
; filesystem. To prevent possible filesystem and to avoid the need for
> filesystem maintainers to worry about it don't allow operations on
> inodes with an invalid uid or gid.
>
> Signed-off-by: "Eric W. Biederman"
Acked-by: Seth Forshee
pts to handle this better last cycle. I
> figure we should go with the stupid version for now. I think I know
> how to do better but I don't want that to gate forward progress on
> fully unprivileged fuse mounts. Especially as this is the last known
> issue to deal with.
This seems reasonable as a short-term measure.
Acked-by: Seth Forshee
om/kinvolk/linux/commits/alban/fuse-flag-ima-nocache-v3
> [4] https://github.com/kinvolk/fuse-userns-patches/commit/cf1f5750cab0
>
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-integr...@vger.kernel.org
> Cc: linux-security-mod...@vger.kernel.org
> Cc: linux-fsde...@vger.kernel.o
On Wed, Jan 17, 2018 at 07:56:59PM +0100, Alban Crequy wrote:
> On Wed, Jan 17, 2018 at 3:29 PM, Seth Forshee
> wrote:
> > On Wed, Jan 17, 2018 at 11:59:06AM +0100, Alban Crequy wrote:
> >> [Adding Tejun, David, Tom for question about cuse]
> >>
> >> On Fr
On Wed, Jan 17, 2018 at 11:59:06AM +0100, Alban Crequy wrote:
> [Adding Tejun, David, Tom for question about cuse]
>
> On Fri, Dec 22, 2017 at 3:32 PM, Dongsu Park wrote:
> > From: Seth Forshee
> >
> > In order to support mounts from namespaces other than
> >
On Fri, Dec 22, 2017 at 10:12:40AM -0600, Seth Forshee wrote:
> On Fri, Dec 22, 2017 at 03:49:25PM +0100, Michal Hocko wrote:
> > On Mon 18-12-17 15:53:20, Michal Hocko wrote:
> > > On Fri 01-12-17 08:23:27, Seth Forshee wrote:
> > > > On Mon, Sep 25, 2017 at 02:58:
On Fri, Dec 22, 2017 at 03:49:25PM +0100, Michal Hocko wrote:
> On Mon 18-12-17 15:53:20, Michal Hocko wrote:
> > On Fri 01-12-17 08:23:27, Seth Forshee wrote:
> > > On Mon, Sep 25, 2017 at 02:58:25PM +0200, Michal Hocko wrote:
> > > > On Thu 21-09-1
On Mon, Sep 25, 2017 at 02:58:25PM +0200, Michal Hocko wrote:
> On Thu 21-09-17 00:40:34, Seth Forshee wrote:
> > On Wed, Sep 20, 2017 at 11:29:31AM +0200, Michal Hocko wrote:
> > > Hi,
> > > I am currently at a conference so I will most probably get to this next
> &
skip
any paths which are too long for the filename buffer.
Signed-off-by: Seth Forshee
---
tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c
b/tools/testing
ed in this function [-Werror=maybe-uninitialized]
unsigned long register r3 asm("r3") = in[0];
~~^~~
Fix callers to this function to always zero-initialize the input
arguments array to prevent this.
Signed-off-by: Seth Forshee
---
arch
On Wed, Sep 20, 2017 at 11:29:31AM +0200, Michal Hocko wrote:
> Hi,
> I am currently at a conference so I will most probably get to this next
> week but I will try to ASAP.
>
> On Tue 19-09-17 11:41:14, Seth Forshee wrote:
> > Hi Michal,
> >
> > I'm s
On Thu, Sep 07, 2017 at 04:32:46PM -0700, Kees Cook wrote:
> The 2.26 release of glibc changed how siginfo_t is defined, and the earlier
> work-around to using the kernel definition are no longer needed. The old
> way needs to stay around for a while, though.
>
> Reported-by: Set
Hi Kees,
I'm seeing build failures with your seccomp selftest when using glibc
2.26. The first are related to changing macro names from __have_sig*_t
to __sig*_t_defined. But after defining those there are more conflicting
definitions. I was able to get it to build with the changes below,
however
088 ("scsi: aacraid: Retrieve HBA host information ioctl")
Signed-off-by: Seth Forshee
---
drivers/scsi/aacraid/commctrl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
index d2f8d5954840..476ada6e39d0 100644
--- a/
On Sun, Apr 09, 2017 at 09:14:03AM -0400, Paul Moore wrote:
> On Sat, Apr 8, 2017 at 11:02 PM, Seth Forshee
> wrote:
> > I've observed audit regressions in 4.11-rc when not using a userspace
> > audit daemon. The most obvious issue is that audit messages are not
> > a
I've observed audit regressions in 4.11-rc when not using a userspace
audit daemon. The most obvious issue is that audit messages are not
appearing in dmesg anymore. If a sufficient number of audit messages are
generated the kernel will also start invoking the OOM killer.
It looks like previously,
> revert_creds() and their variable.
>
> Fixes: aeaa4a79ff6a ("fs: Call d_automount with the filesystems creds")
> Signed-off-by: David Howells
> cc: Seth Forshee
> cc: "Eric W. Biederman"
> cc: Al Viro
Eric's already applied a patch that should f
On Thu, Sep 22, 2016 at 10:27:56AM -0500, Seth Forshee wrote:
> On Thu, Sep 22, 2016 at 04:17:09PM +0100, Sachin Prabhu wrote:
> > On Thu, 2016-09-22 at 10:09 -0500, Seth Forshee wrote:
> > > We've received reports from users of a cifs mount regression in our
> > >
On Thu, Sep 22, 2016 at 04:17:09PM +0100, Sachin Prabhu wrote:
> On Thu, 2016-09-22 at 10:09 -0500, Seth Forshee wrote:
> > We've received reports from users of a cifs mount regression in our
> > 4.4-based kernel, e.g. [1]. It is fixed by reverting the follwing
> > com
We've received reports from users of a cifs mount regression in our
4.4-based kernel, e.g. [1]. It is fixed by reverting the follwing commit
from 4.8 which was applied to 4.4 stable:
a6b5058 fs/cifs: make share unaccessible at root level mountable
Testing against 4.8-rc7 shows that the problem i
terface to modules, then use it in
xenbus when creating /proc/xen.
Acked-by: David Vrabel
Signed-off-by: Seth Forshee
---
Resending to add some Cc's I missed the first time.
drivers/xen/xenbus/xenbus_probe.c | 2 +-
fs/proc/generic.c | 1 +
fs/proc/internal.h
On Tue, Aug 30, 2016 at 04:00:03PM +0100, David Vrabel wrote:
> On 29/08/16 16:03, Seth Forshee wrote:
> > Mounting proc in user namespace containers fails if the xenbus
> > filesystem is mounted on /proc/xen because this directory fails
> > the "permanently empty"
On Tue, Aug 30, 2016 at 04:48:08PM +0200, Juergen Gross wrote:
> On 29/08/16 17:03, Seth Forshee wrote:
> > Mounting proc in user namespace containers fails if the xenbus
> > filesystem is mounted on /proc/xen because this directory fails
> > the "permanently empty"
terface to modules, then use it in
xenbus when creating /proc/xen.
Signed-off-by: Seth Forshee
---
drivers/xen/xenbus/xenbus_probe.c | 2 +-
fs/proc/generic.c | 1 +
fs/proc/internal.h| 1 -
include/linux/proc_fs.h | 2 ++
4 files changed, 4 insertions(+), 2
On Tue, Jul 19, 2016 at 07:44:11PM -0700, Sheng Yang wrote:
> On Tue, Apr 26, 2016 at 12:36 PM, Seth Forshee
> wrote:
> > When the userspace process servicing fuse requests is running in
> > a pid namespace then pids passed via the fuse fd are not being
> > translated into
On Mon, Jul 11, 2016 at 07:03:31AM -0400, Jeff Layton wrote:
> On Mon, 2016-07-11 at 09:23 +0200, Michal Hocko wrote:
> > On Fri 08-07-16 10:27:38, Jeff Layton wrote:
> > > On Fri, 2016-07-08 at 16:23 +0200, Michal Hocko wrote:
> > > > On Fri 08-07-16 08:51:54, Jeff Layton wrote:
> > > > >
> > > >
On Fri, Jul 08, 2016 at 09:53:30AM +1000, Dave Chinner wrote:
> On Wed, Jul 06, 2016 at 06:07:18PM -0400, Jeff Layton wrote:
> > On Wed, 2016-07-06 at 12:46 -0500, Seth Forshee wrote:
> > > We're seeing a hang when freezing a container with an nfs bind mount while
> >
On Fri, Jul 08, 2016 at 02:22:24PM +0200, Michal Hocko wrote:
> On Wed 06-07-16 18:07:18, Jeff Layton wrote:
> > On Wed, 2016-07-06 at 12:46 -0500, Seth Forshee wrote:
> > > We're seeing a hang when freezing a container with an nfs bind mount while
> > > running i
On Wed, Jul 06, 2016 at 06:07:18PM -0400, Jeff Layton wrote:
> On Wed, 2016-07-06 at 12:46 -0500, Seth Forshee wrote:
> > We're seeing a hang when freezing a container with an nfs bind mount while
> > running iozone. Two iozone processes were hung with this stack trace.
> &
We're seeing a hang when freezing a container with an nfs bind mount while
running iozone. Two iozone processes were hung with this stack trace.
[] schedule+0x35/0x80
[] schedule_preempt_disabled+0xe/0x10
[] __mutex_lock_slowpath+0xb9/0x130
[] mutex_lock+0x1f/0x30
[] do_unlinkat+0x12b/0x2d0
On Wed, May 18, 2016 at 10:45:31AM -0500, Eric W. Biederman wrote:
> > But if we do that it violates some of the assumptions of the patch to
> > rework MNT_NODEV on your testing branch (and also those behind patch 2
> > in this series). Something will need to be changed there to prevent a
> > regre
On Tue, May 17, 2016 at 05:39:33PM -0500, Eric W. Biederman wrote:
> Seth Forshee writes:
>
> > Both of these filesystems already have use cases for mounting the
> > same super block from multiple user namespaces. For sysfs this
> > happens when using criu for snapsho
On Mon, May 16, 2016 at 11:42:46AM -0500, Eric W. Biederman wrote:
> Seth Forshee writes:
>
> > On Sat, May 14, 2016 at 09:21:55PM -0500, Eric W. Biederman wrote:
> >> I have slowly been working with Seth Forshee on these issues as
> >> the last thing I want
On Sat, May 14, 2016 at 09:21:55PM -0500, Eric W. Biederman wrote:
> I have slowly been working with Seth Forshee on these issues as
> the last thing I want is to introduce more security bugs right now.
> Seth being a braver man than I am has already merged his changes into
>
On Wed, May 04, 2016 at 11:19:04PM +, Serge Hallyn wrote:
> Quoting Djalal Harouni (tix...@gmail.com):
> > If a process gets access to a mount from a different user
> > namespace, that process should not be able to take advantage of
> > setuid files or selinux entrypoints from that filesystem.
On Wed, May 04, 2016 at 01:21:46AM +0200, Djalal Harouni wrote:
> This RFC tries to explore how to support filesystem operations inside
> user namespace using only VFS and a per mount namespace solution. This
> allows to take advantage of user namespace separations without
> introducing any change
lest possible design which meets the requirements.
Acked-by: Seth Forshee
ki (1):
fs: Treat foreign mounts as nosuid
Pavel Tikhomirov (1):
fs: fix a posible leak of allocated superblock
Seth Forshee (19):
fs: Remove check of s_user_ns for existing mounts in
fs_fully_visible()
fs: Allow sysfs and cgroupfs to share super blocks between user
namespaces
bloc
On Mon, Apr 25, 2016 at 03:30:47PM -0500, Serge E. Hallyn wrote:
> Quoting Seth Forshee (seth.fors...@canonical.com):
> > In a userns mount some on-disk inodes may have ids which do not
> > map into s_user_ns, in which case the in-kernel inodes are owned
> > by invalid users.
ermitted when protected
symlinks are enabled.
Add a new helper function, uid_valid_eq(), and use this to
validate that the ids in may_follow_link() are both equal and
valid. Also add an equivalent helper for gids, which is
currently unused.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
objects, but also allow the
policy writer to specify a different label through policy
transition rules.
Pieced together from code snippets provided by Stephen Smalley.
Signed-off-by: Seth Forshee
Acked-by: Stephen Smalley
Acked-by: James Morris
---
security/selinux/hooks.c | 23
Add checks to inode_change_ok to verify that uid and gid changes
will map into the superblock's user namespace. If they do not
fail with -EOVERFLOW. This cannot be overriden with ATTR_FORCE.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
---
fs/attr.c | 11 +++
1 file change
in a non-init
namespace when fs_fully_visible() is called, so that condition
can simply be removed.
Signed-off-by: Seth Forshee
---
fs/namespace.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index f20c82f91ecb..c133318bec35 100644
--- a
Using INVALID_[UG]ID for the LSM file creation context doesn't
make sense, so return an error if the inode passed to
set_create_file_as() has an invalid id.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
---
kernel/cred.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/c
group filesystems to fix the
regressions.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
---
fs/super.c | 3 ++-
fs/sysfs/mount.c | 3 ++-
include/linux/fs.h | 1 +
kernel/cgroup.c| 4 ++--
4 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/fs/super.c b/fs/super.c
All current callers of in_userns pass current_user_ns as the
first argument. Simplify by replacing in_userns with
current_in_userns which checks whether current_user_ns is in the
namespace supplied as an argument.
Signed-off-by: Seth Forshee
Acked-by: James Morris
Acked-by: Serge Hallyn
has CAP_SYS_ADMIN.
All callers of lookup_bdev() currently pass a mask of 0, so this
patch results in no functional change. Subsequent patches will
add permission checks where appropriate.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
---
drivers/md/bcache/super.c | 2 +-
drivers/md/dm
Expand the check in should_remove_suid() to keep privileges for
CAP_FSETID in s_user_ns rather than init_user_ns.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
---
fs/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/inode.c b/fs/inode.c
index 69b8b526c194
filesystems are not expected
to have inodes with invalid ids, but if it does happen any
setattr operations will return -EPERM.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
---
fs/attr.c | 62 ---
fs/kernfs/inode.c | 2 ++
fs
ids in on-disk ACLs should be converted to s_user_ns instead of
init_user_ns as is done now. This introduces the possibility for
id mappings to fail, and when this happens syscalls will return
EOVERFLOW.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
---
fs/posix_acl.c
-5207 much
more difficult to exploit.
Signed-off-by: Andy Lutomirski
Signed-off-by: Seth Forshee
Acked-by: James Morris
Acked-by: Serge Hallyn
---
fs/exec.c| 2 +-
fs/namespace.c | 13 +
include/linux/mount.h| 1 +
security/commoncap.c
could be relaxed in the future if needed.
For cuse the namespace used for the connection is also simply
current_user_ns() at the time /dev/cuse is opened.
Signed-off-by: Seth Forshee
---
fs/fuse/cuse.c | 3 ++-
fs/fuse/dev.c| 13 -
fs/fuse/dir.c| 14 +++---
fs/fuse
the unprivileged user
the ability to manipulate processes it would otherwise be unable
to manipulate. Restrict allow_other to apply to users in the same
userns used at mount or a descendant of that namespace. Also
export current_in_userns() for use by fuse when built as a
module.
Signed-off-by: Seth
Signed-off-by: Seth Forshee
Acked-by: Miklos Szeredi
---
fs/fuse/inode.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 0a771145d853..254f1944ee98 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1199,7 +1199,7 @@ static
is safe in this respect as well.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
---
security/commoncap.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index e657227d221e..12477afaa8ed 100644
--- a/security
ot be translated into the
target namespace are not permitted, except for requests
allocated via fuse_get_req_nofail_nopages. For no-fail requests
in.h.pid will be 0 if the pid translation fails.
File locking changes based on previous work done by Eric
Biederman.
Signed-off-by: Seth Forshee
Acked-by: M
filesystem.
Signed-off-by: Seth Forshee
Acked-by: "Eric W. Biederman"
Acked-by: Serge Hallyn
---
fs/namespace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 0ad8e4a4f50b..575e3f8b34fd 100644
--- a/fs/namespace.c
+++ b/fs/n
privileged mounts will
continue working as before.
Signed-off-by: Seth Forshee
Acked-by: Serge Hallyn
---
fs/block_dev.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/block_dev.c b/fs/block_dev.c
index e9b937845bdb..2007040afb7b 100644
--- a/fs/block_dev.c
+++ b/fs
and SMACK64MMAP
access is denied if the label does not match smk_root. To be
consistent with suid, a SMACK64EXEC label which does not match
smk_root will still allow execution of the file but will not run
with the label supplied in the xattr.
Signed-off-by: Seth Forshee
Acked-by: Casey Schaufler
.
Signed-off-by: Pavel Tikhomirov
Acked-by: Seth Forshee
---
fs/super.c | 4
1 file changed, 4 insertions(+)
diff --git a/fs/super.c b/fs/super.c
index 829841e0ae7e..092a7828442e 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -474,6 +474,10 @@ retry:
On Tue, Mar 29, 2016 at 08:01:03AM -0500, Seth Forshee wrote:
> A failed call to dqget() returns an ERR_PTR() and not null. Fix
> the check in ext4_ioctl_setproject() to handle this correctly.
>
> Fixes: 9b7365fc1c82 ("ext4: add FS_IOC_FSSETXATTR/FS_IOC_FSGETXATTR interface
>
1 - 100 of 558 matches
Mail list logo
