search for: xattrs

...le LSMs side by side without interfering with each other. The ultimate decision will depend on individual LSM decision. Several changes need to be made to the LSM infrastructure to be able to support that. This patch set tackles one of them: gives to each LSM the ability to specify one or multiple xattrs to be set at inode creation time and, at the same time, gives to EVM the ability to access all those xattrs and calculate the HMAC on them. The first problem that this patch set addresses is to make the inode_init_security hook definition suitable to use with EVM which, unlike other LSMs, needs to...

...le LSMs side by side without interfering with each other. The ultimate decision will depend on individual LSM decision. Several changes need to be made to the LSM infrastructure to be able to support that. This patch set tackles one of them: gives to each LSM the ability to specify one or multiple xattrs to be set at inode creation time and, at the same time, gives to EVM the ability to access all those xattrs and calculate the HMAC on them. The first problem that this patch set addresses is to make the inode_init_security hook definition suitable to use with EVM which, unlike other LSMs, needs to...

...gt; > > > > Currently, security_inode_init_security() supports only one LSM providing > > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > > metadata. > > > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > > > > blob reservation mechanism. Introduce the new lbs_xattr field of the > > > > lsm_blob_sizes structure, so that each LSM can specify how many xattrs it > > > > needs, and the LSM infrastructure knows how many xattr slots it shoul...

...uawei.com> > > > > > > Currently, security_inode_init_security() supports only one LSM providing > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > metadata. > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > > > blob reservation mechanism. Introduce the new lbs_xattr field of the > > > lsm_blob_sizes structure, so that each LSM can specify how many xattrs it > > > needs, and the LSM infrastructure knows how many xattr slots it should > > &gt...

...t; Currently, security_inode_init_security() supports only one LSM providing > > > > > an xattr and EVM calculating the HMAC on that xattr, plus other inode > > > > > metadata. > > > > > > > > > > Allow all LSMs to provide one or multiple xattrs, by extending the security > > > > > blob reservation mechanism. Introduce the new lbs_xattr field of the > > > > > lsm_blob_sizes structure, so that each LSM can specify how many xattrs it > > > > > needs, and the LSM infrastructure knows how many xattr...

On Thu, 2022-12-01 at 11:41 +0100, Roberto Sassu wrote: > From: Roberto Sassu <roberto.sassu at huawei.com> > > In preparation for removing security_old_inode_init_security(), switch to > security_inode_init_security(). > > Extend the existing ocfs2_initxattrs() to take the > ocfs2_security_xattr_info structure from fs_info, and populate the > name/value/len triple with the first xattr provided by LSMs. Hi Mark, Joel, Joseph some time ago I sent this patch set to switch to the newer function security_inode_init_security(). Almost all the other pa...

...c | 4 ---- lib/fuse.c | 2 +- m4/guestfs-libraries.m4 | 1 - 4 files changed, 3 insertions(+), 12 deletions(-) diff --git a/daemon/xattr.c b/daemon/xattr.c index bbe571b3f8bb..b10f6bddf4d0 100644 --- a/daemon/xattr.c +++ b/daemon/xattr.c @@ -37,12 +37,8 @@ #ifdef HAVE_LINUX_XATTRS -# ifdef HAVE_ATTR_XATTR_H -# include <attr/xattr.h> -# else -# ifdef HAVE_SYS_XATTR_H -# include <sys/xattr.h> -# endif +# ifdef HAVE_SYS_XATTR_H +# include <sys/xattr.h> # endif int diff --git a/fuse/test-fuse.c b/fuse/test-fuse.c index 5ce8322f0d0e..ac0a49348a3a 100...

From: Roberto Sassu <roberto.sassu at huawei.com> In preparation for removing security_old_inode_init_security(), switch to security_inode_init_security(). Extend the existing ocfs2_initxattrs() to take the ocfs2_security_xattr_info structure from fs_info, and populate the name/value/len triple with the first xattr provided by LSMs. As fs_info was not used before, ocfs2_initxattrs() can now handle the case of replicating the behavior of security_old_inode_init_security(), i.e. just obta...

Currently, when listing xattrs, kernel define XATTR_LIST_MAX as 65536 in include/linux/limits.h, so it can't handle too many xattrs. But with ocfs2 xattr tree, we actually have no limit for the number. And it will pollute the message with something like this when listing. (27738,0):ocfs2_iterate_xattr_buckets:3158 ERROR: st...

...n 3.1.0 protocol version 31 Copyright (C) 1996-2013 by Andrew Tridgell, Wayne Davison, and others. Web site: http://rsync.samba.org/ Capabilities: 64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints, socketpairs, hardlinks, symlinks, IPv6, batchfiles, inplace, append, ACLs, xattrs, iconv, symtimes, prealloc, no SLP > uname -a Linux Ishtar 3.15.6-Isht-Van #1 SMP PREEMPT Sat Jul 19 12:31:28 PDT 2014 x86_64 x86_64 x86_64 GNU/Linux File system info: > xfs_info /home meta-data=/dev/mapper/Data-Home isize=512 agcount=32, agsize=12582896 blks =...

I see that rsync will eventually support extended attributes, which will be great. But: will it allow backup from a file system that supports xattrs, to one that does not? For this to work, rsync would have to represent the xattrs on the destination machine in some special format, I suppose, which is outside the usual rsync mode of operation. Moreover, even if both machines support xattrs, their might be restrictions and subtle differe...

...ration. Second, during inode initalization in inode_init_always() the registered xattr handlers in sb->s_xattr are used to raise IOP_XATTR in inode->i_opflags. With the removal of the legacy POSIX ACL handlers it is at least possible for a filesystem to only implement POSIX ACLs but no other xattrs. If that were to happen we would miss to raise IOP_XATTR because sb->s_xattr would be NULL. Fix these things and then get rid of the misleading and effectively already unused generic POSIX ACL handlers. For most filesystems it is a trivial removal of the generic POSIX ACL handlers. Only for er...

If the system supports selinux, we will return sucessfully from ocfs2_init_security_get if it is called for the mount point. And in that case if the volume doesn't have xattr support, we will not be able to create a new inode in the mount dir because ocfs2_mknod will try to set security attributes for a new created inode. This patch check xattr support in ocfs2_init_security_get, so it will

Tristan, could you please run your xattr test against it? xs->base used to be allocated a 4K size and all the contents in the bucket are copied to the it. So in ocfs2_xattr_bucket_set_value_outside, we are safe to use xs->base + offset. Now we use ocfs2_xattr_bucket to abstract xattr bucket and xs->base is initialized to the start of the bu_bhs[0]. So xs->base + offset will overflow

https://bugzilla.samba.org/show_bug.cgi?id=5939 Summary: rsync: delete of stat xattr failed for ... (in backup): Operation not permitted (1) Product: rsync Version: 3.0.4 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P3 Component: core AssignedTo:

Mark and Joel, I found two serious bugs about xattr and inline-data. the first bug: in ocfs2_mknod(), we check and found the ACL or security xattr entry could be set into inode in ocfs2_calc_xattr_init(), then don't reserve block for them. But in ocfs2_mknod_locked(), if we found ocfs2 support inline-data, then set id_count with the max_inline_data. After that, we set acl/security xattr

Hi! I'm new here, so I ask for your patience :) Some xattrs can't be copied between filesystems. For instance, compressed btrfs has a "btrfs.compression" xattr. When rsync -X is used in this situation, it exits with error code 23 (partial file/attr), which seems dangerous to be ignored. Would it be reasonable to filter filesystem-specific fla...

...to Sassu wrote: > > > From: Roberto Sassu <roberto.sassu at huawei.com> > > > > > > In preparation for removing security_old_inode_init_security(), switch to > > > security_inode_init_security(). > > > > > > Extend the existing ocfs2_initxattrs() to take the > > > ocfs2_security_xattr_info structure from fs_info, and populate the > > > name/value/len triple with the first xattr provided by LSMs. > > > > Hi Mark, Joel, Joseph > > > > some time ago I sent this patch set to switch to the newer >...

Modification from V2 to V3: Use a more pefect code suggested by Joel. Thank Joel for it. In ocfs2/xattr, we must make sure the xattrs which have the same hash value exist in the same bucket so that the search schema can work. But in the old implementation, when we want to extend a bucket, we just move half number of xattrs to the new bucket. This works in most cases, but if we are lucky enough we will make 2 xattrs into 2 differe...

Hi, we needed these changes when we had to build a guest image compatible with a starting guest image but not backed by it in any way? We needed some tool to check our progress, comparing original and? rebuilt (from scratch) images, and virt-diff seemed the best option, but? we had to soften the comparison to reduce the noise in the output. I added some options to ignore certain informations when