[PATCH 5/5] device_cgroup: propagate local changes down the hierarchy

2012-11-27 Thread Aristeu Rozanski
local exceptions, the exception "c 116:2 rwm" will be removed. The local preferences will be kept and applied when allowed by its parent. Cc: Tejun Heo Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski --- security/device_cgroup.c | 215 +++

[PATCH 2/5] device_cgroup: prepare exception list handling functions for two lists

2012-11-27 Thread Aristeu Rozanski
In the following patches, device_cgroup structure will have two sets of behavior and exceptions list (actual one, another with the local settings) so rework the functions to use exception list, not a device_cgroup. Cc: Tejun Heo Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski --- security

[PATCH 4/5] device_cgroup: make may_access() stronger

2012-11-27 Thread Aristeu Rozanski
In order to revalidate local exceptions for the hierarchy change propagation, make may_access() stronger. Cc: Tejun Heo Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski --- security/device_cgroup.c | 36 1 file changed, 24 insertions(+), 12 deletions

[PATCH 0/5] devcg: introduce proper hierarchy support

2012-11-27 Thread Aristeu Rozanski
This patchset implements device cgroup hierarchy. Behaviors and exceptions will be propagated down in the tree and local preferences will be re-evaluated everytime a change in its parent occours, reapplying them if it's still possible. Cc: Tejun Heo Cc: Serge Hallyn Signed-off-by: Ar

[PATCH 1/5] device_cgroup: fix locking in devcgroup_destroy()

2012-11-27 Thread Aristeu Rozanski
Cc: Tejun Heo Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski --- security/device_cgroup.c |4 1 file changed, 4 insertions(+) Index: github/security/device_cgroup.c === --- github.orig/security/device_cgroup.c

[PATCH 3/5] device_cgroup: keep track of local group settings

2012-11-27 Thread Aristeu Rozanski
In preparation for better hierarchy support, it's needed to retain the local settings in order to try to reapply them after a propagated change if they're still valid. Cc: Tejun Heo Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski --- security/device_cgrou

Re: [PATCH 3/5] device_cgroup: keep track of local group settings

2012-11-29 Thread Aristeu Rozanski
On Thu, Nov 29, 2012 at 07:29:45PM +, Serge E. Hallyn wrote: > Quoting Aristeu Rozanski (a...@redhat.com): > > In preparation for better hierarchy support, it's needed to retain the local > > settings in order to try to reapply them after a propagated change if > &g

Re: [PATCH 3/5] device_cgroup: keep track of local group settings

2012-11-29 Thread Aristeu Rozanski
On Thu, Nov 29, 2012 at 07:29:45PM +, Serge E. Hallyn wrote: > thanks for doing this. I've got one concern though. I don't see > any place where devcgroup_create() was updated to create the > local exceptions list. I think we need a guarantee that at > any time the local exceptions list will

Re: [PATCH 3/5] device_cgroup: keep track of local group settings

2012-11-29 Thread Aristeu Rozanski
On Thu, Nov 29, 2012 at 08:26:08PM +, Serge E. Hallyn wrote: > Quoting Aristeu Rozanski (a...@redhat.com): > > I see your point. it's indeed a problem. in dev_exception_add(), it > > needs to check for permissions before actually adding to > > devcgroup->excepti

Re: [PATCH v5 9/9] devcg: propagate local changes down the hierarchy

2013-02-04 Thread Aristeu Rozanski
On Sat, Feb 02, 2013 at 04:13:41PM +, Serge E. Hallyn wrote: > Quoting Aristeu Rozanski (a...@redhat.com): > > +static int propagate_behavior(struct dev_cgroup *devcg_root) > > +{ > > + struct cgroup *root = devcg_root->css.cgroup; > > + struct dev_cgroup *par

Re: [PATCH v5 9/9] devcg: propagate local changes down the hierarchy

2013-02-04 Thread Aristeu Rozanski
On Sat, Feb 02, 2013 at 04:20:52PM +, Serge E. Hallyn wrote: > Quoting Aristeu Rozanski (a...@redhat.com): > > +static int propagate_exception(struct dev_cgroup *devcg_root) > > +{ > > + struct cgroup *root = devcg_root->css.cgroup; > > + struct de

[PATCH v6 9/9] devcg: propagate local changes down the hierarchy

2013-02-05 Thread Aristeu Rozanski
by Tejun Heo - instead of keeping the local settings that won't apply anymore, remove them Acked-by: Tejun Heo Cc: Tejun Heo Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski --- Documentation/cgroups/devices.txt | 67 +++ security/device_cgroup.c | 228 +

Re: [PATCH v6 9/9] devcg: propagate local changes down the hierarchy

2013-02-11 Thread Aristeu Rozanski
On Sat, Feb 09, 2013 at 04:04:02AM +, Serge E. Hallyn wrote: > Quoting Aristeu Rozanski (a...@redhat.com): > > devcg: propagate local changes down the hierarchy > > > > This patch makes all changes propagate down in hierarchy respecting when > > po

Re: [PATCH v6 9/9] devcg: propagate local changes down the hierarchy

2013-02-11 Thread Aristeu Rozanski
On Sat, Feb 09, 2013 at 03:53:57AM +, Serge E. Hallyn wrote: > Quoting Aristeu Rozanski (a...@redhat.com): > > Thanks, Aristeu. I'm sorry it feels like I'm just trying to give you a > hard time, I'm really not :) no worries on that, it's important this is

Re: [PATCH v6 9/9] devcg: propagate local changes down the hierarchy

2013-02-11 Thread Aristeu Rozanski
On Mon, Feb 11, 2013 at 05:42:59PM +, Serge E. Hallyn wrote: > Note I said only forbid behavior changes - not exception changes - to > cgroups with children. that won't do much. behavior change is the simplest: if you change a behavior, you wipe the local exceptions unless the special (deny, d

Re: [PATCH v6 9/9] devcg: propagate local changes down the hierarchy

2013-02-11 Thread Aristeu Rozanski
On Mon, Feb 11, 2013 at 06:52:39PM +, Serge E. Hallyn wrote: > > getting rid of local settings would buy more simplicity > > (Not sure which you mean here by 'getting rid of local settings') no local.{behavior,exceptions}, which still would allow behavior propagation, but simply wouldn't keep

Re: [PATCH v3 1/9] device_cgroup: prepare exception list handling functions for two lists

2013-01-29 Thread Aristeu Rozanski
t; > so rework the functions to use exception list, not a device_cgroup. > > > > Cc: Tejun Heo > > Cc: Serge Hallyn > > Signed-off-by: Aristeu Rozanski > > Acked-by: Tejun Heo > > Can you please keep acks across postings? That makes it a bit easier >

Re: [PATCH v3 9/9] devcg: propagate local changes down the hierarchy

2013-01-29 Thread Aristeu Rozanski
On Tue, Jan 29, 2013 at 12:35:00PM -0800, Tejun Heo wrote: > Generally looks good to me although I haven't really delved into the > behavior (you're gonna be there for the fallouts, right?). Just some > minor comments. yes, I'll. > > +static int propagate_behavior(struct dev_cgroup *devcg_root)

Re: [PATCH v3 1/9] device_cgroup: prepare exception list handling functions for two lists

2013-01-30 Thread Aristeu Rozanski
On Wed, Jan 30, 2013 at 05:41:40PM +, Serge E. Hallyn wrote: > Quoting a...@redhat.com (a...@redhat.com): > > In the following patches, device_cgroup structure will have two sets of > > behavior and exceptions list (actual one, another with the local settings) > > so rework the functions to use

Re: [PATCH v4 8/9] devcg: refactor dev_exception_clean()

2013-01-30 Thread Aristeu Rozanski
On Wed, Jan 30, 2013 at 08:47:30PM +, Serge E. Hallyn wrote: > Quoting a...@redhat.com (a...@redhat.com): > > - > > - if (rc) > > - return rc; > > Was this intentional? > > I see that you next add > > rc = propagate_behavior(devcgroup); > >

Re: [PATCH v4 8/9] devcg: refactor dev_exception_clean()

2013-01-31 Thread Aristeu Rozanski
On Wed, Jan 30, 2013 at 12:50:38PM -0800, Tejun Heo wrote: > On Wed, Jan 30, 2013 at 12:49 PM, Aristeu Rozanski > that's not > intentional. thanks for catching this > > > > Tejun, you want me to resubmit the whole series or just the next patch > > (where I was suppo

Re: [PATCH v4 9/9] devcg: propagate local changes down the hierarchy

2013-01-31 Thread Aristeu Rozanski
On Thu, Jan 31, 2013 at 04:19:32AM +, Serge E. Hallyn wrote: > Quoting a...@redhat.com (a...@redhat.com): > > +/** > > + * propagate_behavior - propagates a change in the behavior down in > > hierarchy > > + * @devcg_root: device cgroup that changed behavior > > + * > > + * returns: 0 in case

Re: [PATCH v4 9/9] devcg: propagate local changes down the hierarchy

2013-01-31 Thread Aristeu Rozanski
Hi Serge, On Thu, Jan 31, 2013 at 04:38:39AM +, Serge E. Hallyn wrote: > > @@ -610,9 +770,14 @@case '\0': > > */ > > if (devcgroup->behavior == DEVCG_DEFAULT_ALLOW) { > > dev_exception_rm(devcgroup, &ex); > > - retur

[PATCH v5 9/9] devcg: propagate local changes down the hierarchy

2013-02-01 Thread Aristeu Rozanski
online/css_offline changes to a new patch - use cgroup_for_each_descendant_pre() instead of own descendant walk - move exception_copy rework to a separared patch - move exception_clean rework to a separated patch v2: - instead of keeping the local settings that won't apply anymore, remo

[PATCH v2] userns: improve uid/gid map collision detection

2013-01-24 Thread Aristeu Rozanski
lision detection allowing any order to be used. v2: improved the patch description as requested by Andrew Cc: Andrew Morton Cc: "Eric W. Biederman" Cc: "Serge E. Hallyn" Cc: linux-security-mod...@vger.kernel.org Signed-off-by: Aristeu Rozanski diff --git a/kernel

Re: [PATCH v2] userns: improve uid/gid map collision detection

2013-01-25 Thread Aristeu Rozanski
On Thu, Jan 24, 2013 at 04:46:12PM -0800, Andrew Morton wrote: > eek, a macro! Macros are always bad. > > This one is bad because > > a) it's a macro > > b) it evaluates its args multiple times and hence will cause nasty >bugs if called with expressions-with-side-effects. > > c) it evaluat

Re: [PATCH v2] userns: improve uid/gid map collision detection

2013-01-28 Thread Aristeu Rozanski
On Fri, Jan 25, 2013 at 06:31:37PM -0800, Eric W. Biederman wrote: > Aritsteu after looking at both my version and yours I am going with one extra t. > mine. While my code is a little wordier I have half the number of > comparisons your code does, and I took the time to kill the variable > intro

Re: [PATCH review 2/6] userns: Allow any uid or gid mappings that don't overlap.

2013-01-28 Thread Aristeu Rozanski
On Fri, Jan 25, 2013 at 06:21:00PM -0800, Eric W. Biederman wrote: > When I initially wrote the code for /proc//uid_map. I was lazy > and avoided duplicate mappings by the simple expedient of ensuring the > first number in a new extent was greater than any number in the > previous extent. > > Unf

Re: [PATCH review 2/6] userns: Allow any uid or gid mappings that don't overlap.

2013-01-28 Thread Aristeu Rozanski
On Mon, Jan 28, 2013 at 06:41:39PM +0400, Lord Glauber Costa of Sealand wrote: > Hello Mr. Someone. > > On 01/28/2013 06:28 PM, Aristeu Rozanski wrote: > > On Fri, Jan 25, 2013 at 06:21:00PM -0800, Eric W. Biederman wrote: > >> When I initially wrote the code for /pr

Re: [PATCH v5 4/4] devcg: propagate local changes down the hierarchy

2013-02-19 Thread Aristeu Rozanski
On Tue, Feb 19, 2013 at 09:12:08PM +, Serge E. Hallyn wrote: > Quoting Aristeu Rozanski (a...@redhat.com): > > + } else { > > + /* > > +* in the other possible cases: > > +* root'

Re: [PATCH v5 4/4] devcg: propagate local changes down the hierarchy

2013-03-13 Thread Aristeu Rozanski
Hi Tejun, On Tue, Feb 19, 2013 at 04:20:16PM -0500, Aristeu Rozanski wrote: > On Tue, Feb 19, 2013 at 09:12:08PM +, Serge E. Hallyn wrote: > > Quoting Aristeu Rozanski (a...@redhat.com): > > > + } else { > > > + /* > > > +

[PATCH v2 4/6] device_cgroup: stop using simple_strtoul()

2012-09-04 Thread Aristeu Rozanski
This patch converts the code to use kstrtou32() instead of simple_strtoul() which is deprecated. The real size of the variables are u32, so use kstrtou32 instead of kstrtoul Signed-off-by: Aristeu Rozanski --- security/device_cgroup.c | 28 ++-- 1 file changed, 22

[PATCH v2 1/6] device_cgroup: add "behavior" in dev_cgroup structure

2012-09-04 Thread Aristeu Rozanski
Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski --- security/device_cgroup.c |8 1 file changed, 8 insertions(+) Index: github/security/device_cgroup.c === --- github.orig

[PATCH v2 6/6] device_cgroup: introduce a new, more consistent interface for device_cgroup

2012-09-04 Thread Aristeu Rozanski
. Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski --- Documentation/cgroups/devices.txt | 73 -- security/device_cgroup.c | 63 +++- 2 files cha

[PATCH v2 2/6] device_cgroup: introduce dev_whitelist_clean()

2012-09-04 Thread Aristeu Rozanski
This function cleans all the items in a whitelist and will be used by the next patches. v2: - no changes Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski --- security/device_cgroup.c | 22 +- 1 file

[PATCH v2 0/6] device_cgroup: replace internally whitelist with exception list

2012-09-04 Thread Aristeu Rozanski
The original model of device_cgroup is having a whitelist where all the allowed devices are listed. The problem with this approach is that is impossible to have the case of allowing everything but few devices. The reason for that lies in the way the whitelist is handled internally: since there's o

[PATCH v2 5/6] device_cgroup: rename whitelist to exception list

2012-09-04 Thread Aristeu Rozanski
This patch replaces the "whitelist" usage in the code and comments and replace them by exception list related information. v2: - fix checkpatch warnings Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski ---

[PATCH v2 3/6] device_cgroup: convert device_cgroup internally to policy + exceptions

2012-09-04 Thread Aristeu Rozanski
e to use behavior instead of deny_all Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski --- security/device_cgroup.c | 228 +++ 1 file changed, 132 insertions(+), 96 deletio

[PATCH v2 1/2] cgroups: add documentation on extended attributes usage

2012-09-11 Thread Aristeu Rozanski
v2: update cgroups.txt instead of creating a new file Cc: Li Zefan Cc: Tejun Heo Cc: Hugh Dickins Cc: Hillf Danton Cc: Lennart Poettering Signed-off-by: Aristeu Rozanski --- Documentation/cgroups/cgroups.txt | 24 ++-- 1 file changed, 22 insertions(+), 2 deletions

[PATCH v2 0/2] cgroups: add documentation on extended attributes and simple_xattr functions

2012-09-11 Thread Aristeu Rozanski
ering Signed-off-by: Aristeu Rozanski -- Aristeu -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

[PATCH v2 2/2] fs: add missing documentation to simple_xattr functions

2012-09-11 Thread Aristeu Rozanski
v2: add function documentation instead of adding a separate file under Documentation/ Cc: Li Zefan Cc: Tejun Heo Cc: Hugh Dickins Cc: Hillf Danton Cc: Lennart Poettering Signed-off-by: Aristeu Rozanski --- fs/xattr.c | 18 -- 1 file changed, 16 insertions(+), 2

Re: [PATCH UPDATED RFC cgroup/for-3.7] cgroup: mark subsystems with broken hierarchy support and whine if cgroups are nested for them

2012-09-11 Thread Aristeu Rozanski
Hi Tejun, On Tue, Sep 11, 2012 at 11:23:56AM -0700, Tejun Heo wrote: > + /* we're fully hierarchical iff root uses hierarchy */ minor nit: s/iff/if/ -- Aristeu -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vg

Re: [PATCH v2 2/2] fs: add missing documentation to simple_xattr functions

2012-09-13 Thread Aristeu Rozanski
On Thu, Sep 13, 2012 at 11:11:24AM -0700, Tejun Heo wrote: > Updated the patch in place accordingly. Thanks. > > From 4895768b6aab55bbdbebcf2da090cb1a5ccf5463 Mon Sep 17 00:00:00 2001 > From: Aristeu Rozanski > Date: Tue, 11 Sep 2012 16:28:11 -0400 > Subject: [PATC

Re: [PATCH] cgroup: fix invalid rcu dereference

2012-09-14 Thread Aristeu Rozanski
, dev_t dev) > { > - struct dev_cgroup *dev_cgroup = task_devcgroup(current); > short type; > > if (!S_ISBLK(mode) && !S_ISCHR(mode)) > @@ -578,7 +577,7 @@ int devcgroup_inode_mknod(int mode, dev_t dev) > else > type = DEV_CHAR; > > - return __devcgroup_check_perm

Re: [RFC] cgroup TODOs

2012-09-14 Thread Aristeu Rozanski
Tejun, On Thu, Sep 13, 2012 at 01:58:27PM -0700, Tejun Heo wrote: > memcg can be handled by memcg people and I can handle cgroup_freezer > and others with help from the authors. The problematic one is > blkio. If anyone is interested in working on blkio, please be my > guest. Vivek? Gla

Re: [PATCH 1/2] Revert "xattr: mark variable as uninitialized to make both gcc and smatch happy"

2012-09-14 Thread Aristeu Rozanski
Sasha, On Fri, Sep 14, 2012 at 09:35:53PM +0200, Sasha Levin wrote: > This reverts commit 0142145ddb1d6c841be4eae2c7a32dd18ad34b24. > > Short version: > > Not initializing 'new_xattr' at the beginning of __simple_xattr_set() may > lead to > dereferencing it later on in the function. > > > Lon

Re: [PATCH 2/2] xattr: prevent NULL ptr deref warnings in __simple_xattr_set

2012-09-14 Thread Aristeu Rozanski
On Fri, Sep 14, 2012 at 01:55:55PM -0700, Tejun Heo wrote: > On Fri, Sep 14, 2012 at 01:54:34PM -0700, Tejun Heo wrote: > > On Fri, Sep 14, 2012 at 09:35:54PM +0200, Sasha Levin wrote: > > > Prevent warnings generated by smatch due to unchecked dereference of > > > 'new_xattr' in __simple_xattr_set

Re: [PATCH 1/4] cgroup: fix invalid rcu dereference

2012-10-23 Thread Aristeu Rozanski
On Tue, Oct 23, 2012 at 02:50:48PM +0200, Jiri Slaby wrote: > No, I'm *not* the author of the patch... Or at least I don't remember > :P. Where did you take it from? <1347615612-11450-1-git-send-email-jsl...@suse.cz> Date: Fri, 14 Sep 2012 11:40:12 +0200 you didn't include a "From:" on your emai

[PATCH] fs: xattr: rewrite simple_xattr_set()

2012-10-25 Thread Aristeu Rozanski
The way this function was written is confusing and already caused problems. Rewriting it to be easier to understand and maintain. Cc: Tejun Heo Cc: Li Zefan Cc: Al Viro Signed-off-by: Aristeu Rozanski --- fs/xattr.c | 124 + 1

Re: [PATCH] fs: xattr: rewrite simple_xattr_set()

2012-10-25 Thread Aristeu Rozanski
On Thu, Oct 25, 2012 at 10:33:26AM -0700, Tejun Heo wrote: > On Thu, Oct 25, 2012 at 11:26:14AM -0400, Aristeu Rozanski wrote: > > - return err; > > > > + return 1; > > +} > > So, it returns 0 on success and 1 on failure, which in itself isn't a > pa

Re: [PATCH] fs: xattr: rewrite simple_xattr_set()

2012-10-25 Thread Aristeu Rozanski
On Thu, Oct 25, 2012 at 10:59:35AM -0700, Tejun Heo wrote: > On Thu, Oct 25, 2012 at 10:54 AM, Aristeu Rozanski wrote: > >> So, it returns 0 on success and 1 on failure, which in itself isn't a > >> particularly good idea. > > > > you mean it should return

[PATCH v2] fs: xattr: rewrite simple_xattr_set()

2012-10-25 Thread Aristeu Rozanski
The way this function was written is confusing and already caused problems. Rewriting it to be easier to understand and maintain. v2: - fix error return value in __simple_xattr_remove() (pointed by Tejun Heo) Cc: Hugh Dickins Cc: Tejun Heo Cc: Li Zefan Cc: Al Viro Signed-off-by: Aristeu

[PATCH] device_cgroup: fix unchecked cgroup parent usage

2012-10-31 Thread Aristeu Rozanski
rew, Tejun, this patch needs to make Linus tree ASAP or a revert for 4cef7299b4786879a3e113e84084a72b24590c5b. Cc: Andrew Morton Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Cc: Jiri Slaby Signed-off-by: Aristeu Rozanski --- github.orig/security/devic

Re: [PATCH] device_cgroup: fix unchecked cgroup parent usage

2012-11-01 Thread Aristeu Rozanski
On Wed, Oct 31, 2012 at 04:35:01PM -0700, Andrew Morton wrote: > On Wed, 31 Oct 2012 12:04:30 -0400 > Aristeu Rozanski wrote: > > > In 4cef7299b4786879a3e113e84084a72b24590c5b the cgroup parent usage is > > unchecked. root will not have a parent and trying to use > &g

[PATCH] coredump: run the coredump helper using the same namespace as the dead process

2012-11-05 Thread Aristeu Rozanski
c: "Eric W. Biederman" Cc: Al Viro Signed-off-by: Aristeu Rozanski diff --git a/fs/coredump.c b/fs/coredump.c index ce47379..fa14ea1 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -455,6 +455,19 @@ static int umh_pipe_setup(struct subprocess_info *info, struct cred *new)

Re: [PATCH] coredump: run the coredump helper using the same namespace as the dead process

2012-11-05 Thread Aristeu Rozanski
On Mon, Nov 05, 2012 at 11:34:26AM -0800, Eric W. Biederman wrote: > I would argue that you very much need to define what it means to have a > per container core dump at the same time as you argue this. > > Nacked-by: "Eric W. Biederman" > > Running in a namespace different than whoever set the

Re: [PATCH 0/5] userns: convert some filesystems to kuid/kgid

2012-07-26 Thread Aristeu Rozanski
Hi Eric, On Wed, Jul 25, 2012 at 04:14:41PM -0700, Eric W. Biederman wrote: > Sorry no. I have unfortunately been a bit out of it for the last few > weeks and I have patches to address this already in my development tree. what's the tree you're using for development? ebiederm/user-namespace.git a

Re: [PATCH 0/5] userns: convert some filesystems to kuid/kgid

2012-07-26 Thread Aristeu Rozanski
On Thu, Jul 26, 2012 at 10:24:41AM -0700, Eric W. Biederman wrote: > Please see my userns-always-map-user-v41 branch. d'oh. thanks Eric -- Aristeu -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info

[PATCH 2/2] fs: add documentation to simple_xattr functions

2012-09-05 Thread Aristeu Rozanski
Cc: Li Zefan Cc: Tejun Heo Cc: Hugh Dickins Cc: Hillf Danton Cc: Lennart Poettering Signed-off-by: Aristeu Rozanski --- Documentation/filesystems/00-INDEX |3 ++ Documentation/filesystems/simple_xattr.txt | 42 + 2 files changed, 45 insertions

[PATCH 0/2] cgroups: add documentation on extended attributes and simple_xattr functions

2012-09-05 Thread Aristeu Rozanski
cgroups: add documentation on extended attributes and simple_xattr functions These patches add documentation on the new functions and current specific cgroup usage. Cc: Li Zefan Cc: Tejun Heo Cc: Hugh Dickins Cc: Hillf Danton Cc: Lennart Poettering Signed-off-by: Aristeu Rozanski

[PATCH 1/2] cgroups: add documentation on extended attributes usage

2012-09-05 Thread Aristeu Rozanski
Cc: Li Zefan Cc: Tejun Heo Cc: Hugh Dickins Cc: Hillf Danton Cc: Lennart Poettering Signed-off-by: Aristeu Rozanski --- Documentation/cgroups/00-INDEX |2 ++ Documentation/cgroups/xattr.txt | 21 + 2 files changed, 23 insertions(+) --- a/Documentation/cgroups

Re: suspicious RCU usage in cgroup

2012-10-05 Thread Aristeu Rozanski
Hi Dave, On Fri, Oct 05, 2012 at 05:59:29PM -0400, Dave Jones wrote: > On boot in Linus' current tree.. > > > === > [ INFO: suspicious RCU usage. ] > 3.6.0+ #22 Not tainted > --- > include/linux/cgroup.h:566 suspicious rcu_dereference_check(

Re: [PATCH 4/5] device_cgroup: make may_access() stronger

2012-12-03 Thread Aristeu Rozanski
On Mon, Dec 03, 2012 at 09:44:14AM -0800, Tejun Heo wrote: > I kinda dislike this. This isn't a performanc critical path where we > must try our best to shave off a few condition checks. There's no > reason to encode the test like this. Please just spell the conditions > out in code rather than

Re: [PATCH 3/5] device_cgroup: keep track of local group settings

2012-12-03 Thread Aristeu Rozanski
On Mon, Dec 03, 2012 at 06:01:25PM +, Serge E. Hallyn wrote: > First, generally, I don't think 'allows' added to parent should be > automatically propagated to descendents. that's what I think too and what I tried to do > In devcgroup_update_access: (around line 625) > there is a perio

Re: [PATCH 5/5] device_cgroup: propagate local changes down the hierarchy

2012-12-03 Thread Aristeu Rozanski
On Mon, Dec 03, 2012 at 10:01:45AM -0800, Tejun Heo wrote: > On Tue, Nov 27, 2012 at 02:35:06PM -0500, Aristeu Rozanski wrote: > > This patch makes all changes propagate down in hierarchy respecting when > > possible local configurations. > > > > Behavior changes will

Re: suspicious RCU usage in cgroup

2012-10-17 Thread Aristeu Rozanski
On Wed, Oct 17, 2012 at 12:26:23PM -0400, Dave Jones wrote: > On Fri, Oct 05, 2012 at 06:06:12PM -0400, Aristeu Rozanski wrote: > > Hi Dave, > > On Fri, Oct 05, 2012 at 05:59:29PM -0400, Dave Jones wrote: > > > On boo

Re: [patch for-3.7] fs, xattr: fix bug when removing a name not in xattr list

2012-10-18 Thread Aristeu Rozanski
ttr; > - struct simple_xattr *uninitialized_var(new_xattr); > + struct simple_xattr *new_xattr = NULL; > int err = 0; > > /* value == NULL means remove */ I think Sasha Levin was working on that (Cc'd) along with the smatch fix. Anyway, __simple_xattr_set

[PATCH 1/3] device_cgroup: rename deny_all to behavior

2012-10-19 Thread Aristeu Rozanski
This was done in a v2 patch but v1 ended up being committed. The variable name is less confusing and stores the default behavior when no matching exception exists. Cc: Dave Jones Cc: Andrew Morton Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Signed-off-b

[PATCH 3/3] device_cgroup: add proper checking when changing default behavior

2012-10-19 Thread Aristeu Rozanski
Before changing a group's default behavior to ALLOW, we must check if its parent's behavior is also ALLOW. Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski --- security/device_cgroup.c | 19 +

[PATCH 2/3] device_cgroup: stop using simple_strtoul()

2012-10-19 Thread Aristeu Rozanski
This patch converts the code to use kstrtou32() instead of simple_strtoul() which is deprecated. The real size of the variables are u32, so use kstrtou32 instead of kstrtoul Cc: Dave Jones Cc: Andrew Morton Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Si

[PATCH 0/3] Rebase device_cgroup v2 patchset

2012-10-19 Thread Aristeu Rozanski
changed, 61 insertions(+), 26 deletions(-) Cc: Dave Jones Cc: Andrew Morton Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Signed-off-by: Aristeu Rozanski -- Aristeu -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the

Re: [PATCH 1/3] device_cgroup: rename deny_all to behavior

2012-10-22 Thread Aristeu Rozanski
On Fri, Oct 19, 2012 at 11:45:06PM +0200, Jiri Slaby wrote: > > Signed-off-by: Jiri Slaby > > R U sure?^^^ > As I don't remember myself ever seeing this patch... > Maybe I should start smoking some crap to refresh my memory? argh, sorry. wanted to include everyone

[PATCH 0/4] Rebase device_cgroup v2 patchset

2012-10-22 Thread Aristeu Rozanski
changed, 61 insertions(+), 26 deletions(-) Cc: Dave Jones Cc: Andrew Morton Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Cc: Jiri Slaby Signed-off-by: Aristeu Rozanski -- Aristeu -- To unsubscribe from this list: send the line "unsubscribe linux-kerne

[PATCH 3/4] device_cgroup: stop using simple_strtoul()

2012-10-22 Thread Aristeu Rozanski
Cc: Jiri Slaby Signed-off-by: Aristeu Rozanski --- security/device_cgroup.c | 28 ++-- 1 file changed, 22 insertions(+), 6 deletions(-) --- github.orig/security/device_cgroup.c2012-10-19 16:35:46.366102913 -0400 +++ github/security/device_cgroup.c 2012-10

[PATCH 4/4] device_cgroup: add proper checking when changing default behavior

2012-10-22 Thread Aristeu Rozanski
Before changing a group's default behavior to ALLOW, we must check if its parent's behavior is also ALLOW. Cc: Tejun Heo Cc: Li Zefan Cc: James Morris Cc: Pavel Emelyanov Cc: Serge Hallyn Cc: Jiri Slaby Signed-off-by: Aristeu Rozanski --- security/device_cgrou

[PATCH 1/4] cgroup: fix invalid rcu dereference

2012-10-22 Thread Aristeu Rozanski
From: Jiri Slaby Commit "device_cgroup: convert device_cgroup internally to policy + exceptions" removed rcu locks which are needed in task_devcgroup called in this chain: devcgroup_inode_mknod OR __devcgroup_inode_permission -> __devcgroup_inode_permission -> task_devcgroup -> task_subsys_state

[PATCH 2/4] device_cgroup: rename deny_all to behavior

2012-10-22 Thread Aristeu Rozanski
Slaby Signed-off-by: Aristeu Rozanski --- security/device_cgroup.c | 25 ++--- 1 file changed, 14 insertions(+), 11 deletions(-) --- github.orig/security/device_cgroup.c2012-10-19 16:35:37.936804289 -0400 +++ github/security/device_cgroup.c 2012-10-19 16:35

Re: [PATCH 0/4] Rebase device_cgroup v2 patchset

2012-10-22 Thread Aristeu Rozanski
Hi Andrew, On Mon, Oct 22, 2012 at 12:58:38PM -0700, Andrew Morton wrote: > On Mon, 22 Oct 2012 09:45:36 -0400 > Aristeu Rozanski wrote: > > > This patchset rebases the v2 of the patchset since the v1 was pushed into > > -rc1 > > instead. The last patch, not present

Re: [PATCH] devcg: remove parent_cgroup.

2013-04-16 Thread Aristeu Rozanski
On Tue, Apr 16, 2013 at 11:24:55PM +0300, Rami Rosen wrote: > In devcgroup_css_alloc(), there is no longer need for parent_cgroup. > bd2953ebbb("devcg: propagate local changes down the hierarchy") made > the variable parent_cgroup redundant. This patch removes parent_cgroup > from devcgroup_css_all

Re: [PATCH] devcg: remove parent_cgroup.

2013-04-16 Thread Aristeu Rozanski
On Tue, Apr 16, 2013 at 04:07:25PM -0500, Serge Hallyn wrote: > Quoting Aristeu Rozanski (a...@redhat.com): > > On Tue, Apr 16, 2013 at 11:24:55PM +0300, Rami Rosen wrote: > > > In devcgroup_css_alloc(), there is no longer need for parent_cgroup. > > > bd2953ebbb(&quo

Re: [Part1 PATCH 00/22] Add namespace support for audit

2013-06-19 Thread Aristeu Rozanski
On Wed, Jun 19, 2013 at 09:53:32AM +0800, Gao feng wrote: > This patchset is first part of namespace support for audit. > in this patchset, the mainly resources of audit system have > been isolated. the audit filter, rules havn't been isolated > now. It will be implemented in Part2. We finished the

Re: [Part1 PATCH 00/22] Add namespace support for audit

2013-06-24 Thread Aristeu Rozanski
On Thu, Jun 20, 2013 at 03:01:09PM -0700, Eric W. Biederman wrote: > Gao feng writes: > > > On 06/20/2013 11:02 AM, Gao feng wrote: > >> If we don't tie audit to user namespace, there is still one problem. > > > > One more problem. some audit messages are generated by some net subsystem > > such

Re: [PATCH 08/23] cgroup: pass around cgroup_subsys_state instead of cgroup in subsystem methods

2013-08-05 Thread Aristeu Rozanski
nel/cgroup.c::offline_css(), unnecessary open coded css > dereference is replaced with local variable access. > > This patch shouldn't cause any behavior differences. looks fine on device_cgroup.c bit Acked-by: Aristeu Rozanski -- Aristeu -- To unsubscribe from this list: send the l

Re: [PATCH 12/23] cgroup: pass around cgroup_subsys_state instead of cgroup in file methods

2013-08-05 Thread Aristeu Rozanski
any user left. Removed. > > * hugetlb: hugetlb_cgroup_form_cgroup() doesn't have any user left. > Removed. > > * net_cls: cgrp_cls_state() doesn't have any user left. Removed. Also looks good on devcg part Acked-by: Aristeu Rozanski -- Aristeu -- To unsubscrib

Re: [PATCH 15/23] cgroup: make hierarchy iterators deal with cgroup_subsys_state instead of cgroup

2013-08-05 Thread Aristeu Rozanski
ed. > > * devices: cgroup_to_devcgroup() is no longer used. Removed. Acked-by: Aristeu Rozanski -- Aristeu -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Re: [PATCH cgroup/for-3.12] cgroup: make css_for_each_descendant() and friends include the origin css in the iteration

2013-08-05 Thread Aristeu Rozanski
dling before or after, it's moved inside the > iteration. If not, if (pos == origin) continue; is added. Some > conversions add extra reference get/put around origin handling by > consolidating origin handling and the rest. While the extra ref > operations aren't strictly

Re: [PATCH 0/4] Rebase device_cgroup v2 patchset

2013-05-14 Thread Aristeu Rozanski
On Tue, May 14, 2013 at 10:05:39AM -0500, Serge Hallyn wrote: > so now that the device cgroup properly respects hierarchy, not allowing > a cgroup to be given greater permission than its parent, should we consider > relaxing the capability checks? > > There are two capable(CAP_SYS_ADMIN) checks in

Re: [PATCH cgroup/for-3.10] devcg: remove broken_hierarchy tag

2013-04-08 Thread Aristeu Rozanski
ted proper hierarchy support. Remove the broken tag. > > Signed-off-by: Tejun Heo > Cc: Aristeu Rozanski > --- > Applying to cgroup/for-3.10. looks good, thanks Tejun Acked-by: Aristeu Rozanski -- Aristeu -- To unsubscribe from this list: send the line "unsubscribe

Re: [PATCH RFC 09/48] Audit: make audit_enabled per user namespace

2013-05-07 Thread Aristeu Rozanski
On Tue, May 07, 2013 at 10:20:30AM +0800, Gao feng wrote: > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 684599b..33e6584 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -441,7 +441,8 @@ extern int audit_filter_type(int type); > extern int audit_recei

Re: [PATCH v6 1/4] xattr: extract simple_xattr code from tmpfs

2012-08-22 Thread Aristeu Rozanski
On Mon, Aug 20, 2012 at 09:47:15PM -0700, Hugh Dickins wrote: > On Mon, 20 Aug 2012, Aristeu Rozanski wrote: > > On Mon, Aug 20, 2012 at 12:10:09AM -0700, Hugh Dickins wrote: > > > Yes, it looks nice to me. I might have preferred more as inlines in > > > the header fi

Re: [PATCH v6 1/4] xattr: extract simple_xattr code from tmpfs

2012-08-22 Thread Aristeu Rozanski
On Wed, Aug 22, 2012 at 01:25:06PM -0700, Hugh Dickins wrote: > > > Probably more important would be to remove spin_lock() and spin_unlock() > > > (and INIT_LIST_HEAD) from simple_xattrs_free() - those are unnecessary > > > in shmem_evict_inode(), and wouldn't they be unnecessary whenever > > > sim

Re: [PATCH v6 3/4] cgroup: add xattr support

2012-08-23 Thread Aristeu Rozanski
On Thu, Aug 23, 2012 at 12:44:23PM -0700, Tejun Heo wrote: > Hello, Hugh. > > On Tue, Aug 21, 2012 at 04:29:53PM -0700, Hugh Dickins wrote: > > Are we expecting Aristeu+Zefan's simple_xattr patches to go into 3.7? > > Yeah, probably. > > > I don't have anything planned for shmem.c for 3.7 beyond

Re: [PATCH v7 1/4] xattr: extract simple_xattr code from tmpfs

2012-08-24 Thread Aristeu Rozanski
On Thu, Aug 23, 2012 at 04:14:24PM -0700, Hugh Dickins wrote: > I'm also happy to see that you're now using simple_xattr_alloc() in > __simple_xattr_set() (but no need to respin to comment on that here). > > It looks very nice: much better for this code to live in fs/xattr.c > than in mm/shmem.c.

Re: [PATCH v7 0/4] cgroup: add xattr support

2012-08-27 Thread Aristeu Rozanski
Hi Tejun, On Fri, Aug 24, 2012 at 03:58:39PM -0700, Tejun Heo wrote: > On Thu, Aug 23, 2012 at 04:53:27PM -0400, a...@redhat.com wrote: > > This series are a refreshed version of a patchset submitted by Li Zefan back > > in march: > > https://lkml.org/lkml/2012/3/1/13 > > Applied to cgroup/for

Re: [RFC] cgroup TODOs

2012-09-17 Thread Aristeu Rozanski
On Sun, Sep 16, 2012 at 09:19:17AM +0100, James Bottomley wrote: > On Fri, 2012-09-14 at 14:36 -0400, Aristeu Rozanski wrote: > > also, heard about the desire of having a device namespace instead with > > support for translation ("sda" -> "sdf"). If anyone see

Re: [PATCH v3 0/3] cgroup: add xattr support

2012-08-07 Thread Aristeu Rozanski
(Added Lennart to the discussion so he can help explaining how systemd will use the xattrs) On Fri, Jul 20, 2012 at 11:04:59AM -0700, Tejun Heo wrote: > Hello, Hugh, Aristeu. > > On Fri, Jul 20, 2012 at 01:59:59PM -0400, Aristeu Rozanski wrote: > > hm, not sure that's wha

Re: [PATCH v3 0/3] cgroup: add xattr support

2012-07-20 Thread Aristeu Rozanski
Hugh, On Wed, Jul 18, 2012 at 06:11:32PM -0700, Hugh Dickins wrote: > > But why do we need something completely new? Can't we hijack some > > inodes used by tmpfs and use them for xattr storage? ie. Would it be > > difficult to use tmpfs as backend storage for on-memory xattr? With > > that, we

Re: [PATCH v3 0/3] cgroup: add xattr support

2012-07-23 Thread Aristeu Rozanski
On Sun, Jul 22, 2012 at 12:12:07PM -0700, Hugh Dickins wrote: > Please, do not do this. > > It may be fun to implement, but not to review and maintain. > > If we're going to start supporting swappable kernel memory, tmpfs > xattrs is not the right place to start, and libfs xattrs certainly not: >

Re: [PATCH v3 0/3] cgroup: add xattr support

2012-07-24 Thread Aristeu Rozanski
On Tue, Jul 24, 2012 at 11:28:09AM -0700, Tejun Heo wrote: > On Mon, Jul 23, 2012 at 02:12:52PM -0400, Aristeu Rozanski wrote: > > > Will "lsattr -R" in the cgroupfs mountpoint do enough to judge how > > > much memory is being used in this way? I expect not, but I

Re: [PATCH 0/5] userns: convert some filesystems to kuid/kgid

2012-07-25 Thread Aristeu Rozanski
Hi Eric, On Wed, Jul 11, 2012 at 03:01:17PM -0400, Aristeu Rozanski wrote: > Hi, > this patchset converts 9p, ADFS, AFFS, AFS and autofs4 to use kuid and kgid. > I plan to work on the other pending filesystems too but wanted some feedback > on the first ones first. had any chance to l

  1   2   >