Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs

[PATCH 0/4] powerpc/pseries: expose firmware security variables via filesystem · Nayna Jain <nayna@linux.ibm.com> · 2022-11-06
[PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Nayna Jain <nayna@linux.ibm.com> · 2022-11-06
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · kernel test robot <hidden> · 2022-11-07
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-11-09
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Nayna <hidden> · 2022-11-09
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-11-10
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Nayna <hidden> · 2022-11-14
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-11-17
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Nayna <hidden> · 2022-11-19
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-11-20
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · James Bottomley <James.Bottomley@HansenPartnership.com> · 2022-11-21
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-11-21
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · James Bottomley <James.Bottomley@HansenPartnership.com> · 2022-11-21
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-11-21
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · James Bottomley <James.Bottomley@HansenPartnership.com> · 2022-11-21
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-11-21
RE: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · David Laight <hidden> · 2022-11-21
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Nayna <hidden> · 2022-11-21
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · "Ritesh Harjani (IBM)" <ritesh.list@gmail.com> · 2022-11-19
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Nayna <hidden> · 2022-11-22
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Nayna <hidden> · 2022-11-23
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-11-23
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Nayna <hidden> · 2022-11-23
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Andrew Donnellan <hidden> · 2022-12-12
Re: [PATCH 2/4] fs: define a firmware security filesystem named fwsecurityfs · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2022-12-12
[PATCH 1/4] powerpc/pseries: Add new functions to PLPKS driver · Nayna Jain <nayna@linux.ibm.com> · 2022-11-06
[PATCH 4/4] powerpc/pseries: expose authenticated variables stored in LPAR PKS · Nayna Jain <nayna@linux.ibm.com> · 2022-11-06
[PATCH 3/4] powerpc/pseries: initialize fwsecurityfs with plpks arch-specific structure · Nayna Jain <nayna@linux.ibm.com> · 2022-11-06
Re: [PATCH 3/4] powerpc/pseries: initialize fwsecurityfs with plpks arch-specific structure · kernel test robot <hidden> · 2022-11-07

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: 2022-11-21 18:12:45
Also in: linux-efi, linux-fsdevel, linux-security-module, lkml

On Mon, Nov 21, 2022 at 12:33:55PM -0500, James Bottomley wrote:

On Mon, 2022-11-21 at 16:05 +0100, Greg Kroah-Hartman wrote:

quoted

On Mon, Nov 21, 2022 at 09:03:18AM -0500, James Bottomley wrote:

quoted

On Mon, 2022-11-21 at 12:05 +0100, Greg Kroah-Hartman wrote:

quoted

On Sun, Nov 20, 2022 at 10:14:26PM -0500, James Bottomley wrote:

[...]

quoted

I already explained in the email that sysfs contains APIs like
simple_pin_... which are completely inimical to namespacing.

Then how does the networking code handle the namespace stuff in
sysfs? That seems to work today, or am I missing something?

have you actually tried?

jejb@lingrow:~> sudo unshare --net bash
lingrow:/home/jejb # ls /sys/class/net/
lo  tun0  tun10  wlan0
lingrow:/home/jejb # ip link show
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT
group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

So, as you see, I've entered a network namespace and ip link shows
me the only interface I can see in that namespace (a down loopback)
but sysfs shows me every interface on the system outside the
namespace.

Then all of the code in include/kobject_ns.h is not being used?  We
have a whole kobject namespace set up for networking, I just assumed
they were using it.  If not, I'm all for ripping it out.

Hm, looking at the implementation, it seems to trigger off the
superblock (meaning you have to remount inside a mount namespace) and
it only works to control visibility in label based namespaces, so this
does actually work

jejb@lingrow:~/git/linux> sudo unshare  --net --mount bash 
lingrow:/home/jejb # mount -t sysfs none /sys
lingrow:/home/jejb # ls /sys/class/net/
lo

The label based approach means that any given file can be shown in one
and only one namespace, which works for net, but not much else
(although it probably could be adapted).

Great, thanks for verifying it works properly.

No other subsystem other than networking has cared about adding support
for namespaces to their sysfs representations.  But the base logic is
all there if they want to do so.

thanks,

greg k-h

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help