headers
Amir Goldstein | 1 Jun 2011 05:26
Picon
Gravatar

Re: [PATCH] fix hardcoded reference to /mnt/test in common.attr

On Tue, May 31, 2011 at 11:29 PM, Christoph Hellwig <hch <at> infradead.org> wrote:
> Thanks, applied.
>
> (after fixing whitespace damage in the patch)

Sorry about those... I usually get away with copy&paste of a single patch
to gmail.
it works with kernel coding convention of tab indentation and short lines,
but xfstests appear to have some space indentations and long lines,
so it doesn't go that well.
I apologize in advance for the other damaged patch already sent out
(ext4dev FSTYP support)

>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 0 comments |
headers
Eric Sandeen | 1 Jun 2011 06:37
Picon
Favicon
Gravatar

Re: [PATCH] xfstests: add support for ext4dev FSTYP

On 5/31/11 10:13 PM, Amir Goldstein wrote:
> From: Amir Goldstein <amir73il <at> users.sf.net>
> 
> blkid knows to identify the ext4dev FSTYP of a partition that was
> formatted with mkfs.ext4dev.
> quota tools and various util-linux utils are also aware of ext4dev,
> so ext4dev shares the same capabilities as ext4.
> 
> While testing on Fedora 15, we encoutered a buggy fsck utility, which
> invokes fsck.ext4, even though it was called with -t ext4dev argument.
> In our setup fsck.ext4dev knows about new fs features that fsck.ext4
> doesn't know, so the generic_fs_check fails.
> Since we have no real use of the extra capabilities provided by fsck util,
> we decided to invoke fsck.$FSTYP directly to avoid this issue.

Adding ext4dev to every case seems harmless enough.  TBH I thought I had
it there already but I guess not.

I'm less certain of the change from fsck -t $FSTYP to fsck.$FSTYP

What issue are you avoiding?  wouldn't fsck -t ext4dev invoke fsck.ext4dev anyway?

It seems like it should be harmless, but I don't understand how it helps you.

Thanks,
-Eric

> Signed-off-by: Amir Goldstein <amir73il <at> users.sf.net>
> Tested-by: Sergey Ivanov <sergey57 <at> gmail.com>
> ---
(Continue reading)

Permalink | Reply | 15 comments |
headers
Eric Sandeen | 1 Jun 2011 07:34
Picon
Favicon
Gravatar

Re: [PATCH] xfstests: add support for ext4dev FSTYP

On 6/1/11 12:22 AM, Eric Sandeen wrote:
> On 5/31/11 11:56 PM, Amir Goldstein wrote:
>> On Wed, Jun 1, 2011 at 7:37 AM, Eric Sandeen <sandeen <at> redhat.com> wrote:
>>> On 5/31/11 10:13 PM, Amir Goldstein wrote:
>>>> From: Amir Goldstein <amir73il <at> users.sf.net>
>>>>
>>>> blkid knows to identify the ext4dev FSTYP of a partition that was
>>>> formatted with mkfs.ext4dev.
>>>> quota tools and various util-linux utils are also aware of ext4dev,
>>>> so ext4dev shares the same capabilities as ext4.
>>>>
>>>> While testing on Fedora 15, we encoutered a buggy fsck utility, which
>>>> invokes fsck.ext4, even though it was called with -t ext4dev argument.
>>>> In our setup fsck.ext4dev knows about new fs features that fsck.ext4
>>>> doesn't know, so the generic_fs_check fails.
>>>> Since we have no real use of the extra capabilities provided by fsck util,
>>>> we decided to invoke fsck.$FSTYP directly to avoid this issue.
>>>
>>> Adding ext4dev to every case seems harmless enough.  TBH I thought I had
>>> it there already but I guess not.
>>>
>>> I'm less certain of the change from fsck -t $FSTYP to fsck.$FSTYP
>>>
>>> What issue are you avoiding?  wouldn't fsck -t ext4dev invoke fsck.ext4dev anyway?
>>>
>>> It seems like it should be harmless, but I don't understand how it helps you.
>>>
>>
>> As I wrote in the patch description, the fsck utility in Fedora 15 invokes
>> fsck.ext4 for some reason when calling fsck -t ext4dev.
(Continue reading)

Permalink | Reply | 7 comments |
headers
Miklos Szeredi | 1 Jun 2011 14:46
Picon

[PATCH 3/7] vfs: introduce clone_private_mount()

From: Miklos Szeredi <mszeredi <at> suse.cz>

Overlayfs needs a private clone of the mount, so create a function for
this and export to modules.

Signed-off-by: Miklos Szeredi <mszeredi <at> suse.cz>
---
 fs/namespace.c        |   17 +++++++++++++++++
 include/linux/mount.h |    3 +++
 2 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index fe59bd1..79bc9a7 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
 <at>  <at>  -1494,6 +1494,23  <at>  <at>  void drop_collected_mounts(struct vfsmount *mnt)
 	release_mounts(&umount_list);
 }

+struct vfsmount *clone_private_mount(struct path *path)
+{
+	struct vfsmount *mnt;
+
+	if (IS_MNT_UNBINDABLE(path->mnt))
+		return ERR_PTR(-EINVAL);
+
+	down_read(&namespace_sem);
+	mnt = clone_mnt(path->mnt, path->dentry, CL_PRIVATE);
+	up_read(&namespace_sem);
+	if (!mnt)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Miklos Szeredi | 1 Jun 2011 14:46
Picon

[PATCH 4/7] overlay filesystem

From: Miklos Szeredi <mszeredi <at> suse.cz>

Overlayfs allows one, usually read-write, directory tree to be
overlaid onto another, read-only directory tree.  All modifications
go to the upper, writable layer.

This type of mechanism is most often used for live CDs but there's a
wide variety of other uses.

The implementation differs from other "union filesystem"
implementations in that after a file is opened all operations go
directly to the underlying, lower or upper, filesystems.  This
simplifies the implementation and allows native performance in these
cases.

The dentry tree is duplicated from the underlying filesystems, this
enables fast cached lookups without adding special support into the
VFS.  This uses slightly more memory than union mounts, but dentries
are relatively small.

Currently inodes are duplicated as well, but it is a possible
optimization to share inodes for non-directories.

Opening non directories results in the open forwarded to the
underlying filesystem.  This makes the behavior very similar to union
mounts (with the same limitations vs. fchmod/fchown on O_RDONLY file
descriptors).

Usage:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Miklos Szeredi | 1 Jun 2011 14:46
Picon

[PATCH 2/7] vfs: export do_splice_direct() to modules

From: Miklos Szeredi <mszeredi <at> suse.cz>

Export do_splice_direct() to modules.  Needed by overlay filesystem.

Signed-off-by: Miklos Szeredi <mszeredi <at> suse.cz>
---
 fs/splice.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/fs/splice.c b/fs/splice.c
index aa866d3..bd730eb 100644
--- a/fs/splice.c
+++ b/fs/splice.c
 <at>  <at>  -1300,6 +1300,7  <at>  <at>  long do_splice_direct(struct file *in, loff_t *ppos, struct file *out,

 	return ret;
 }
+EXPORT_SYMBOL(do_splice_direct);

 static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
 			       struct pipe_inode_info *opipe,
--

-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
(Continue reading)

Permalink | Reply | 0 comments |
headers
Miklos Szeredi | 1 Jun 2011 16:10
Picon

Re: [PATCH] fuse: fix non-ANSI void function notation

Randy Dunlap <randy.dunlap <at> oracle.com> writes:

> From: Randy Dunlap <randy.dunlap <at> oracle.com>
>
> Fix void function parameter list sparse warning:
>
> fs/fuse/inode.c:74:44: warning: non-ANSI function declaration of
> function 'fuse_alloc_forget'

Thanks Randy, applied.

Miklos
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 0 comments |
headers
Amir G. | 2 Jun 2011 09:16
Picon
Gravatar

Re: [PATCH v2] xfstests: add support for ext4dev FSTYP

On Thu, Jun 2, 2011 at 5:33 AM, Amir G. <amir73il <at> users.sourceforge.net> wrote:
> On Thu, Jun 2, 2011 at 5:16 AM, Amir G. <amir73il <at> users.sourceforge.net> wrote:
>> On Thu, Jun 2, 2011 at 2:28 AM, Dave Chinner <david <at> fromorbit.com> wrote:
>>> On Wed, Jun 01, 2011 at 03:56:52PM +0300, amir73il <at> users.sourceforge.net wrote:
>>>> From: Amir Goldstein <amir73il <at> users.sf.net>
>>>>
>>>> From: Amir Goldstein <amir73il <at> users.sf.net>
>>>>
>>>> blkid knows to identify the ext4dev FSTYP of a partition that was
>>>> formatted with mkfs.ext4dev.
>>>> quota tools and various util-linux utils are also aware of ext4dev,
>>>> so ext4dev shares the same capabilities as ext4.
>>>>
>>>> Signed-off-by: Amir Goldstein <amir73il <at> users.sf.net>
>>>> Tested-by: Sergey Ivanov <sergey57 <at> gmail.com>
>>>> ---
>>>> ext4dev is used to test experimental ext4 code in mutual existance
>>>> with production ext4 code on the same system.
>>>>
>>>> Specifically, ext4 snapshots code is available for testing as a
>>>> stand-alone ext4dev module for Fedora 15 and Ubuntu 11.4
>>>> (see http://next3.sf.net).
>>>>
>>>> v1 -> v2:
>>>> - undo change of fsck -t $FSTYP to fsck.$FSTYP
>>>>
>>>>  common.defrag |    2 +-
>>>>  common.quota  |    4 ++--
>>>>  common.rc     |   10 +++++-----
>>>>  3 files changed, 8 insertions(+), 8 deletions(-)
(Continue reading)

Permalink | Reply | 16 comments |
headers
Mimi Zohar | 2 Jun 2011 14:23
Picon

[PATCH v6 00/20] EVM

Discretionary Access Control(DAC) and Mandatory Access Control(MAC) can
protect the integrity of a running system from unauthorized changes. When
these protections are not running, such as when booting a malicious OS,
mounting the disk under a different operating system, or physically moving
the disk to another system, an "offline" attack is free to read and write
file data/metadata.

Extended Verification Module(EVM) detects offline tampering of the security
extended attributes (e.g. security.selinux, security.SMACK64, security.ima),
which is the basis for LSM permission decisions and, with the IMA-appraisal
patchset, integrity appraisal decisions. This patchset provides the framework
and an initial method to detect offline tampering of the security extended
attributes.  The initial method maintains an HMAC-sha1 across a set of
security extended attributes, storing the HMAC as the extended attribute
'security.evm'. To verify the integrity of an extended attribute, EVM exports
evm_verifyxattr(), which re-calculates the HMAC and compares it with the
version stored in 'security.evm'.  Other methods of validating the integrity
of a file's metadata will be posted separately (eg. EVM-digital-signatures).

Although an offline attack can bypass DAC/MAC protection mechanisms and write
file data/metadata, if the disk, or VM, is subsequently remounted under the
EVM + DAC/MAC (+ IMA-appraisal) protected OS, then the TPM-calculated HMAC of
the file's metadata won't be valid.  Therefore, IMA + MAC/DAC + EVM
(+ IMA-appraisal) can protect system integrity online, detect offline tampering,
and prevent tampered files from being accessed.

While this patchset does authenticate the security xattrs, and
cryptographically binds them to the inode, coming extensions will bind other
directory and inode metadata for more complete protection.  To help simplify
the review and upstreaming process, each extension will be posted separately
(Continue reading)

Permalink | Reply | 29 comments |
headers
Mimi Zohar | 2 Jun 2011 14:23
Picon

[PATCH v6 02/20] xattr: define vfs_getxattr_alloc and vfs_xattr_cmp

vfs_getxattr_alloc() and vfs_xattr_cmp() are two new kernel xattr helper
functions.  vfs_getxattr_alloc() first allocates memory for the requested
xattr and then retrieves it. vfs_xattr_cmp() compares a given value with
the contents of an extended attribute.

Signed-off-by: Mimi Zohar <zohar <at> us.ibm.com>
Acked-by: Serge Hallyn <serge.hallyn <at> ubuntu.com>
---
 fs/xattr.c            |   58 +++++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/xattr.h |    5 +++-
 2 files changed, 62 insertions(+), 1 deletions(-)

diff --git a/fs/xattr.c b/fs/xattr.c
index f060663..851808c 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
 <at>  <at>  -166,6 +166,64  <at>  <at>  out_noalloc:
 }
 EXPORT_SYMBOL_GPL(xattr_getsecurity);

+/*
+ * vfs_getxattr_alloc - allocate memory, if necessary, before calling getxattr
+ *
+ * Allocate memory, if not already allocated, or re-allocate correct size,
+ * before retrieving the extended attribute.
+ *
+ * Returns the result of alloc, if failed, or the getxattr operation.
+ */
+ssize_t
+vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value,
(Continue reading)

Permalink | Reply | 0 comments |

Gmane