Re: [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels

[PATCH v3 0/1] Relax restrictions on user.* xattr · Vivek Goyal <vgoyal@redhat.com> · 2021-09-02
[PATCH v3 1/1] xattr: Allow user.* xattr on symlink and special files · Vivek Goyal <vgoyal@redhat.com> · 2021-09-02
[PATCH 2/1] man-pages: xattr.7: Update text for user extended xattr behavior change · Vivek Goyal <vgoyal@redhat.com> · 2021-09-02
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Casey Schaufler <casey@schaufler-ca.com> · 2021-09-02
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Vivek Goyal <vgoyal@redhat.com> · 2021-09-02
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Vivek Goyal <vgoyal@redhat.com> · 2021-09-02
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Casey Schaufler <casey@schaufler-ca.com> · 2021-09-02
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Vivek Goyal <vgoyal@redhat.com> · 2021-09-02
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Casey Schaufler <casey@schaufler-ca.com> · 2021-09-02
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Vivek Goyal <vgoyal@redhat.com> · 2021-09-03
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Casey Schaufler <casey@schaufler-ca.com> · 2021-09-03
Re: [Virtio-fs] [PATCH v3 0/1] Relax restrictions on user.* xattr · Sergio Lopez <hidden> · 2021-09-06
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Dr. David Alan Gilbert <hidden> · 2021-09-06
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Casey Schaufler <casey@schaufler-ca.com> · 2021-09-13
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Vivek Goyal <vgoyal@redhat.com> · 2021-09-14
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Casey Schaufler <casey@schaufler-ca.com> · 2021-09-14
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Bruce Fields <hidden> · 2021-09-14
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Vivek Goyal <vgoyal@redhat.com> · 2021-09-14
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Bruce Fields <hidden> · 2021-09-14
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Dr. Greg <hidden> · 2021-09-15
[PATCH 3/1] xfstests: generic/062: Do not run on newer kernels · Vivek Goyal <vgoyal@redhat.com> · 2021-09-02
Re: [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels · Dave Chinner <david@fromorbit.com> · 2021-09-03
Re: [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels · Zorro Lang <hidden> · 2021-09-03
Re: [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels · Andreas Gruenbacher <agruenba@redhat.com> · 2021-09-03
Re: [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels · Andreas Gruenbacher <agruenba@redhat.com> · 2021-09-03
Re: [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels · Bruce Fields <hidden> · 2021-09-03
Re: [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels · Vivek Goyal <vgoyal@redhat.com> · 2021-09-03
Re: [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels · Bruce Fields <hidden> · 2021-09-03
Re: [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels · Casey Schaufler <casey@schaufler-ca.com> · 2021-09-03
Re: [PATCH 3/1] xfstests: generic/062: Do not run on newer kernels · Vivek Goyal <vgoyal@redhat.com> · 2021-09-03
[PATCH 4/1] xfstest: Add a new test to test xattr operations · Vivek Goyal <vgoyal@redhat.com> · 2021-09-02
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Andreas Gruenbacher <agruenba@redhat.com> · 2021-09-02
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Vivek Goyal <vgoyal@redhat.com> · 2021-09-02
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Casey Schaufler <casey@schaufler-ca.com> · 2021-09-02
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Dr. David Alan Gilbert <hidden> · 2021-09-06
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Miklos Szeredi <miklos@szeredi.hu> · 2021-09-06
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Vivek Goyal <vgoyal@redhat.com> · 2021-09-07
Re: [PATCH v3 0/1] Relax restrictions on user.* xattr · Miklos Szeredi <miklos@szeredi.hu> · 2021-09-08

From: Vivek Goyal <vgoyal@redhat.com>
Date: 2021-09-03 15:43:20
Also in: fstests, linux-security-module, lkml, selinux

On Fri, Sep 03, 2021 at 10:42:34AM -0400, Bruce Fields wrote:

Well, we could also look at supporting trusted.* xattrs over NFS.  I
don't know much about them, but it looks like it wouldn't be a lot of
work to specify, especially now that we've already got user xattrs?
We'd just write a new internet draft that refers to the existing
user.* xattr draft for most of the details.

Will be nice if we can support trusted.* xattrs on NFS.

Vivek

--b.

On Fri, Sep 3, 2021 at 2:56 AM Andreas Gruenbacher [off-list ref] wrote:

quoted

On Fri, Sep 3, 2021 at 8:31 AM Andreas Gruenbacher [off-list ref] wrote:

quoted

On Thu, Sep 2, 2021 at 5:47 PM Vivek Goyal [off-list ref] wrote:

quoted

xfstests: generic/062: Do not run on newer kernels

This test has been written with assumption that setting user.* xattrs will
fail on symlink and special files. When newer kernels support setting
user.* xattrs on symlink and special files, this test starts failing.

It's actually a good thing that this test case triggers for the kernel
change you're proposing; that change should never be merged. The
user.* namespace is meant for data with the same access permissions as
the file data, and it has been for many years. We may have
applications that assume the existing behavior. In addition, this
change would create backwards compatibility problems for things like
backups.

I'm not convinced that what you're actually proposing (mapping
security.selinux to a different attribute name) actually makes sense,
but that's a question for the selinux folks to decide. Mapping it to a
user.* attribute is definitely wrong though. The modified behavior
would affect anybody, not only users of selinux and/or virtiofs. If
mapping attribute names is actually the right approach, then you need
to look at trusted.* xattrs, which exist specifically for this kind of
purpose. You've noted that trusted.* xattrs aren't supported over nfs.
That's unfortunate, but not an acceptable excuse for messing up user.*
xattrs.

Another possibility would be to make selinux use a different
security.* attribute for this nested selinux case. That way, the
"host" selinux would retain some control over the labels the "guest"
uses.

Thanks,
Andreas

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help