On Mon, 2016-05-30 at 16:10 +0200, Miklos Szeredi wrote: > On Fri, May 20, 2016 at 11:53:18PM +0300, Krisztian Litkey wrote: > > On Fri, May 20, 2016 at 8:00 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > > > We deferred __fput() back in 2012 in order for IMA to safely take the > > > i_mutex and write security.ima. Writing the security.ima xattr now > > > triggers overlayfs to write the xattr, but overlayfs doesn't > > > differentiate between callers - as a result of userspace or as described > > > here in __fput(). All calls to ovl_setxattr() should call vfs_sexattr, > > > except the one triggered by __fput(). Refer to the original lockdep > > > report - > > > http://thread.gmane.org/gmane.linux.file-systems.union/640 > > Looks like more fallout from 4bacc9c9234c ("overlayfs: Make f_path always point > to the overlay and f_inode to the underlay"). > > Not sure what we want here. Doing everything on the underlying dentry/inode > would be trivial (see attached patch). > > Question is, can we get setxattr() on file opened for O_RDONLY? If so, then > that could fail on overlayfs (lower layer is read-only). Normally only after a file has been modified is the xattr written. However in "fix" mode, the xattr would be written for files opened read-only (eg. bprm, mmap execute). Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-unionfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
