From mboxrd@z Thu Jan 1 00:00:00 1970 From: James Bottomley Subject: Re: [Lsf-pc] [LSF/MM TOPIC] Filesystem namespaces and uid/gid/lsm remapping Date: Sun, 22 Feb 2015 08:52:48 -0800 Message-ID: <1424623968.2146.70.camel@HansenPartnership.com> References: <31764.1417802507@warthog.procyon.org.uk> <87ppbtrefj.fsf@x220.int.ebiederm.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Cc: David Howells , Lukasz Pawelczyk , Richard Weinberger , Andy Lutomirski , Seth Forshee , Linux FS Devel , lsf-pc@lists.linux-foundation.org To: "Eric W. Biederman" Return-path: Received: from bedivere.hansenpartnership.com ([66.63.167.143]:48889 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751872AbbBVQwu (ORCPT ); Sun, 22 Feb 2015 11:52:50 -0500 In-Reply-To: <87ppbtrefj.fsf@x220.int.ebiederm.org> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Mon, 2014-12-08 at 15:59 -0600, Eric W. Biederman wrote: > David Howells writes: > > > Andy Lutomirski wrote: > > > >> - How should LSM security labels be translated? > > > > I'm definitely interested in that. Especially with respect to how to deal > > with SELinux + overlay{fs,}/unionmount. > > > > Also, I'm interested in how keyrings should interact with namespaces. Should > > keys be namespaced? > > Key lookups are already per user namespace, so I would call that > namespaced. We do have the question with keys, should we allow > duplicate key values so that checkpoint/restart can carry keys between > different kernels. > > > And I'm also interested in how upcalls, including to /sbin/request-key, should > > be dealt with. > > Good question. There is some ongoing discussion on that right now. Aren't the upcalls exactly the same problem as NFS in a container (which uses daemon upcalls). Can the existing solution for that be generalised? James