search for: xattr

...le LSMs side by side without interfering with each other. The ultimate decision will depend on individual LSM decision. Several changes need to be made to the LSM infrastructure to be able to support that. This patch set tackles one of them: gives to each LSM the ability to specify one or multiple xattrs to be set at inode creation time and, at the same time, gives to EVM the ability to access all those xattrs and calculate the HMAC on them. The first problem that this patch set addresses is to make the inode_init_security hook definition suitable to use with EVM which, unlike other LSMs, needs t...

...le LSMs side by side without interfering with each other. The ultimate decision will depend on individual LSM decision. Several changes need to be made to the LSM infrastructure to be able to support that. This patch set tackles one of them: gives to each LSM the ability to specify one or multiple xattrs to be set at inode creation time and, at the same time, gives to EVM the ability to access all those xattrs and calculate the HMAC on them. The first problem that this patch set addresses is to make the inode_init_security hook definition suitable to use with EVM which, unlike other LSMs, needs t...

...t 4:19?AM Roberto Sassu > > > <roberto.sassu at huaweicloud.com> wrote: > > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > > > Currently, security_inode_init_security() supports only one LSM providing > > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > > metadata. > > > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > > > > blob reservation mechanism. Introduce the new lbs_xattr field of the &gt...

...t; On Tue, Mar 14, 2023 at 4:19?AM Roberto Sassu > > <roberto.sassu at huaweicloud.com> wrote: > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > Currently, security_inode_init_security() supports only one LSM providing > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > metadata. > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > > > blob reservation mechanism. Introduce the new lbs_xattr field of the > > > lsm_blob...

...t; > > > <roberto.sassu at huaweicloud.com> wrote: > > > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > > > > > Currently, security_inode_init_security() supports only one LSM providing > > > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > > > metadata. > > > > > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > > > > > blob reservation mechanism. Introduce the new lbs_x...

On Thu, 2022-12-01 at 11:41 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu at huawei.com> > > In preparation for removing security_old_inode_init_security(), switch to > security_inode_init_security(). > > Extend the existing ocfs2_initxattrs() to take the > ocfs2_security_xattr_info structure from fs_info, and populate the > name/value/len triple with the first xattr provided by LSMs. Hi Mark, Joel, Joseph some time ago I sent this patch set to switch to the newer function security_inode_init_security(). Almost all the other p...

The proper file that should be included is `sys/xattr.h` as that comes from `glibc` and not `attr/xattr.h` which ships with the `attr` utility. New enough `attr` utility (at least 2.4.48 in my case) even includes a #warning in `attr/xattr.h` for projects that still have this mistake in the code. --- daemon/xattr.c | 8 ++------ fuse/test-fu...

From: Roberto Sassu <roberto.sassu at huawei.com> In preparation for removing security_old_inode_init_security(), switch to security_inode_init_security(). Extend the existing ocfs2_initxattrs() to take the ocfs2_security_xattr_info structure from fs_info, and populate the name/value/len triple with the first xattr provided by LSMs. As fs_info was not used before, ocfs2_initxattrs() can now handle the case of replicating the behavior of security_old_inode_init_security(), i.e. just obt...

Currently, when listing xattrs, kernel define XATTR_LIST_MAX as 65536 in include/linux/limits.h, so it can't handle too many xattrs. But with ocfs2 xattr tree, we actually have no limit for the number. And it will pollute the message with something like this when listing. (27738,0):ocfs2_iterate_xattr_buckets:3158 ERROR: s...

...n 3.1.0 protocol version 31 Copyright (C) 1996-2013 by Andrew Tridgell, Wayne Davison, and others. Web site: http://rsync.samba.org/ Capabilities: 64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints, socketpairs, hardlinks, symlinks, IPv6, batchfiles, inplace, append, ACLs, xattrs, iconv, symtimes, prealloc, no SLP > uname -a Linux Ishtar 3.15.6-Isht-Van #1 SMP PREEMPT Sat Jul 19 12:31:28 PDT 2014 x86_64 x86_64 x86_64 GNU/Linux File system info: > xfs_info /home meta-data=/dev/mapper/Data-Home isize=512 agcount=32, agsize=12582896 blks =...

I see that rsync will eventually support extended attributes, which will be great. But: will it allow backup from a file system that supports xattrs, to one that does not? For this to work, rsync would have to represent the xattrs on the destination machine in some special format, I suppose, which is outside the usual rsync mode of operation. Moreover, even if both machines support xattrs, their might be restrictions and subtle differ...

Hey everyone, after we finished the introduction of the new posix acl api last cycle we still left the generic POSIX ACL xattr handler around for two reasons. First, because a few filesystems relied on the ->list() method of the generic POSIX ACL xattr handlers in their ->listxattr() inode operation. Second, during inode initalization in inode_init_always() the registered xattr handlers in sb->s_xattr are used to...

If the system supports selinux, we will return sucessfully from ocfs2_init_security_get if it is called for the mount point. And in that case if the volume doesn't have xattr support, we will not be able to create a new inode in the mount dir because ocfs2_mknod will try to set security attributes for a new created inode. This patch check xattr support in ocfs2_init_security_get, so it will let ocfs2_mknod knows that we don't support xattr and it don't need to i...

Tristan, could you please run your xattr test against it? xs->base used to be allocated a 4K size and all the contents in the bucket are copied to the it. So in ocfs2_xattr_bucket_set_value_outside, we are safe to use xs->base + offset. Now we use ocfs2_xattr_bucket to abstract xattr bucket and xs->base is initialized to the sta...

https://bugzilla.samba.org/show_bug.cgi?id=5939 Summary: rsync: delete of stat xattr failed for ... (in backup): Operation not permitted (1) Product: rsync Version: 3.0.4 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P3 Component: core AssignedTo:...

Mark and Joel, I found two serious bugs about xattr and inline-data. the first bug: in ocfs2_mknod(), we check and found the ACL or security xattr entry could be set into inode in ocfs2_calc_xattr_init(), then don't reserve block for them. But in ocfs2_mknod_locked(), if we found ocfs2 support inline-data, then set id_count with the max_inli...

Hi! I'm new here, so I ask for your patience :) Some xattrs can't be copied between filesystems. For instance, compressed btrfs has a "btrfs.compression" xattr. When rsync -X is used in this situation, it exits with error code 23 (partial file/attr), which seems dangerous to be ignored. Would it be reasonable to filter filesystem-specific fl...

...to Sassu wrote: > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > In preparation for removing security_old_inode_init_security(), switch to > > > security_inode_init_security(). > > > > > > Extend the existing ocfs2_initxattrs() to take the > > > ocfs2_security_xattr_info structure from fs_info, and populate the > > > name/value/len triple with the first xattr provided by LSMs. > > > > Hi Mark, Joel, Joseph > > > > some time ago I sent this patch set to switch to the newer &gt...

Modification from V2 to V3: Use a more pefect code suggested by Joel. Thank Joel for it. In ocfs2/xattr, we must make sure the xattrs which have the same hash value exist in the same bucket so that the search schema can work. But in the old implementation, when we want to extend a bucket, we just move half number of xattrs to the new bucket. This works in most cases, but if we are lucky enough we wil...

Hi, we needed these changes when we had to build a guest image compatible with a starting guest image but not backed by it in any way? We needed some tool to check our progress, comparing original and? rebuilt (from scratch) images, and virt-diff seemed the best option, but? we had to soften the comparison to reduce the noise in the output. I added some options to ignore certain informations when