Re: [PATCH] ovl: filter of trusted xattr results in audit

2019-10-07 Thread Greg Kroah-Hartman
On Mon, Oct 07, 2019 at 09:42:08AM -0700, Mark Salyzyn wrote: > > > > Now what is the playbook, we have three options in order of preference: > > 1) #ifdef MODULE use capable() to preserve API, add a short comment about > the side effects if overlayfs is used as a module. > > 2) export has_cap

Re: [PATCH] ovl: filter of trusted xattr results in audit

2019-10-07 Thread Mark Salyzyn
On 10/7/19 9:40 AM, Greg Kroah-Hartman wrote: On Mon, Oct 07, 2019 at 06:17:25PM +0200, Greg Kroah-Hartman wrote: On Mon, Oct 07, 2019 at 06:16:16PM +0200, Greg Kroah-Hartman wrote: On Mon, Oct 07, 2019 at 09:09:16AM -0700, Mark Salyzyn wrote: When filtering xattr list for reading, presence of

Re: [PATCH] ovl: filter of trusted xattr results in audit

2019-10-07 Thread Mark Salyzyn
On 10/7/19 9:17 AM, Greg Kroah-Hartman wrote: On Mon, Oct 07, 2019 at 06:16:16PM +0200, Greg Kroah-Hartman wrote: On Mon, Oct 07, 2019 at 09:09:16AM -0700, Mark Salyzyn wrote: When filtering xattr list for reading, presence of trusted xattr results in a security audit log. However, if there is

Re: [PATCH] ovl: filter of trusted xattr results in audit

2019-10-07 Thread Greg Kroah-Hartman
On Mon, Oct 07, 2019 at 06:17:25PM +0200, Greg Kroah-Hartman wrote: > On Mon, Oct 07, 2019 at 06:16:16PM +0200, Greg Kroah-Hartman wrote: > > On Mon, Oct 07, 2019 at 09:09:16AM -0700, Mark Salyzyn wrote: > > > When filtering xattr list for reading, presence of trusted xattr > > > results in a secur

Re: [PATCH] ovl: filter of trusted xattr results in audit

2019-10-07 Thread Greg Kroah-Hartman
On Mon, Oct 07, 2019 at 06:16:16PM +0200, Greg Kroah-Hartman wrote: > On Mon, Oct 07, 2019 at 09:09:16AM -0700, Mark Salyzyn wrote: > > When filtering xattr list for reading, presence of trusted xattr > > results in a security audit log. However, if there is other content > > no errno will be set,

Re: [PATCH] ovl: filter of trusted xattr results in audit

2019-10-07 Thread Greg Kroah-Hartman
On Mon, Oct 07, 2019 at 09:09:16AM -0700, Mark Salyzyn wrote: > When filtering xattr list for reading, presence of trusted xattr > results in a security audit log. However, if there is other content > no errno will be set, and if there isn't, the errno will be -ENODATA > and not -EPERM as is usual

[PATCH] ovl: filter of trusted xattr results in audit

2019-10-07 Thread Mark Salyzyn
When filtering xattr list for reading, presence of trusted xattr results in a security audit log. However, if there is other content no errno will be set, and if there isn't, the errno will be -ENODATA and not -EPERM as is usually associated with a lack of capability. The check does not block the