[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhQkLSBGQ-F5Oi9p3G6L7Bf_jQMWAxug_G4bSOJ0_cYXxQ@mail.gmail.com>
Date: Thu, 10 Mar 2022 17:11:05 -0500
From: Paul Moore <paul@...l-moore.com>
To: Vivek Goyal <vgoyal@...hat.com>,
Amir Goldstein <amir73il@...il.com>,
Miklos Szeredi <miklos@...redi.hu>,
David Anderson <dvander@...gle.com>
Cc: Mark Salyzyn <salyzyn@...roid.com>,
Jonathan Corbet <corbet@....net>,
"Eric W . Biederman" <ebiederm@...ssion.com>,
Randy Dunlap <rdunlap@...radead.org>,
Stephen Smalley <sds@...ho.nsa.gov>,
John Stultz <john.stultz@...aro.org>,
linux-doc@...r.kernel.org,
linux-kernel <linux-kernel@...r.kernel.org>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
overlayfs <linux-unionfs@...r.kernel.org>,
LSM List <linux-security-module@...r.kernel.org>,
kernel-team <kernel-team@...roid.com>, selinux@...r.kernel.org,
paulmoore@...rosoft.com, luca.boccassi@...rosoft.com
Subject: Re: [PATCH v19 0/4] overlayfs override_creds=off & nested get xattr fix
On Wed, Mar 9, 2022 at 4:13 PM Paul Moore <paul@...l-moore.com> wrote:
> On Tue, Mar 1, 2022 at 12:05 AM David Anderson <dvander@...gle.com> wrote:
> > On Mon, Feb 28, 2022 at 5:09 PM Paul Moore <paul@...l-moore.com> wrote:
...
> >> This patchset may not have been The Answer, but surely there is
> >> something we can do to support this use-case.
> >
> > Yup exactly, and we still need patches 3 & 4 to deal with this. My current plan is to try and rework our sepolicy (we have some ideas on how it could be made compatible with how overlayfs works). If that doesn't pan out we'll revisit these patches and think harder about how to deal with the coherency issues.
>
> Can you elaborate a bit more on the coherency issues? Is this the dir
> cache issue that is alluded to in the patchset? Anything else that
> has come up on review?
>
> Before I start looking at the dir cache in any detail, did you have
> any thoughts on how to resolve the problems that have arisen?
David, Vivek, Amir, Miklos, or anyone for that matter, can you please
go into more detail on the cache issues? I *think* I may have found a
potential solution for an issue that could arise when the credential
override is not in place, but I'm not certain it's the only issue :)
There is motivation on our part to try and get the
"override_creds=off" portion of the patchset working and suitable for
upstreaming, but I need some help in making sure I understand all the
objections/problems.
--
paul-moore.com
Powered by blists - more mailing lists