New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Will kdbus be optional? #8
Comments
why can't you? What is odd about your systems that it would refuse upstream kernel changes like this? |
We use our own IPC framework, that's specialized for security purposes. So will kdbus be optional? |
For context read (or actually don't) It is 20 pages of comments from "zester" like: |
I just wan't to know if kdbus be optional? And I miss read one of gregs articals where he mentioned kbus, but I corrected my self. And apologized. |
@zester who is "we"? If you don't want to use kdbus, don't, no one is forcing you to at all. If/when it gets merged into the kernel tree, just disable it and you will be fine. Unless you rely on systemd, then you might wish to take a look at it and why it is being created (hint, see the linux.conf.au talk on it next month for all the details.) |
Upstream kernels allow unprivileged users to create user namespaces and change their uid/gid. These patches update kdbus policy logic to handle this case and improve our current checks across user namespaces. So this patch adds: * kdbus_test_waitpid() to get exit code of childs. * kdbus_clone_userns_test() that performs the test inside a new user namespace. * Converts all the other tests to return CHECK_OK, CHECK_SKIP or CHECK_ERR so we are consistent. Currently we fail at kdbus_clone_userns_test() test #8. The next patch will fix this issue. Signed-off-by: Djalal Harouni <tixxdz@opendz.org>
Use the global kuid_t and kgid_t to store uid/gid values, this way we our policy checks will work across user namespaces. Note that currently we ignore that the user is privileged in its own namespaces and the policy access kuid_t and kgid_t were mapped into that namespace. If this is requested we can add it later a la: fs/inode.c:inode_owner_or_capable() Add kdbus_policy_make_access() to convert the user provided info to the current user namespace. Userspace struct is not changed, only the kernel one. This patch fixes test #8 of test-kdbus-policy Signed-off-by: Djalal Harouni <tixxdz@opendz.org> [daniel: group kdbus_policy_db_entry_access->{uid,gid} in a union]
Will kdbus be optional I can't have this running in the kernel on our systems.
The text was updated successfully, but these errors were encountered: