From: James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
To: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org,
serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org,
oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org,
luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org
Cc: linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Subject: Re: Keyrings, user namespaces and the user_struct
Date: Tue, 25 Oct 2016 09:49:13 -0700 [thread overview]
Message-ID: <1477414153.3079.36.camel@HansenPartnership.com> (raw)
In-Reply-To: <17576.1477412418-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
On Tue, 2016-10-25 at 17:20 +0100, David Howells wrote:
> I have some questions about user namespacing, with regard to making
> keyrings
> namespaced. My current idea is to follow the following method:
>
> (1) A new key/keyring records the user_namespace active when it is
> created.
>
> (2) If a process's user_namespace doesn't match that recorded in a
> key then
> it gets ENOKEY if it tries to refer to it or access it and can't
> see it
> in /proc/keys.
>
> (3) A process's keyring subscriptions are cleared if CLONE_NEWUSER
> is passed
> to clone() or to unshare() so that it doesn't retain a keyring
> it can't
> access.
>
> (4) Each user_namespace has its own separate register of persistent
> keyrings
> and KEYCTL_GET_PERSISTENT can only get from the register of the
> currently
> caller's user_namespace. This is already upstream
>
> as this seems the simplest solution. I don't want to add a new
> CLONE_xxx flag as there isn't exactly a whole lot of room left.
OK, so the specific problem with this is that it fits perfectly the
container orchestration system use case but pretty much fails for any
non-orchestration use case.
For me it would fail in the architecture emulation use case: I actually
want an administerable container running as me, which means I use a
user_ns to escalate my privilege over the constrained system. However,
doing this in your world would now divorce me from any keyring I had
access to, which isn't what I want.
Why not make it the job of the orchestration system to drop keyrings?
So by default CLONE_NEWUSER subscribes to the same keyrings the owning
user does? That would mean it's configurable and you can add an extra
KEYCTL_ to give fine grained access, so subscriptions can be dropped
before the container is populated by its eventual end user, but the
default case is likely what someone using creation of a user_ns to
elevate their privilege wants.
James
next prev parent reply other threads:[~2016-10-25 16:49 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20161026143856.GL3334@pc.thejh.net>
[not found] ` <CALCETrU0PqNYmWx70pugkhj-kAD5DSzSi3swhK+v12WMYZYUZA@mail.gmail.com>
[not found] ` <17576.1477412418@warthog.procyon.org.uk>
[not found] ` <17576.1477412418-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-25 16:41 ` Keyrings, user namespaces and the user_struct Jann Horn
2016-10-25 16:49 ` James Bottomley [this message]
2016-10-25 16:53 ` David Howells
[not found] ` <18335.1477414412-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-25 16:56 ` James Bottomley
2016-10-26 7:18 ` José Bollo
[not found] ` <1477414605.3079.40.camel@HansenPartnership.com>
[not found] ` <1477414605.3079.40.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-10-25 17:06 ` Jann Horn
2016-10-25 17:30 ` David Howells
[not found] ` <20161025170602.GB24481@laptop.thejh.net>
[not found] ` <20161025170602.GB24481-GiL72Q0nGm9Crx9znvW9yA@public.gmane.org>
2016-10-25 18:05 ` James Bottomley
[not found] ` <1477418708.3079.52.camel@HansenPartnership.com>
[not found] ` <1477418708.3079.52.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-10-25 18:17 ` Jann Horn
[not found] ` <20161025181735.GC24481-GiL72Q0nGm9Crx9znvW9yA@public.gmane.org>
2016-10-25 18:21 ` James Bottomley
2016-10-25 19:34 ` Andy Lutomirski
[not found] ` <CALCETrU0PqNYmWx70pugkhj-kAD5DSzSi3swhK+v12WMYZYUZA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-10-25 20:41 ` David Howells
2016-10-26 14:34 ` David Howells
[not found] ` <9243.1477492490-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-26 14:38 ` Jann Horn
[not found] ` <20161026143856.GL3334-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-10-26 14:48 ` David Howells
[not found] ` <9610.1477493338-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-26 18:10 ` Eric W. Biederman
[not found] ` <87mvhrrng3.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-26 18:35 ` David Howells
[not found] ` <3677.1477506925-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-27 16:11 ` David Howells
2016-10-27 16:18 ` Eric W. Biederman
[not found] ` <20947.1477428095@warthog.procyon.org.uk>
[not found] ` <20947.1477428095-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-25 20:51 ` James Bottomley
2016-10-26 5:54 ` Eric W. Biederman
[not found] ` <87shrju031.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-26 6:48 ` Eric W. Biederman
[not found] ` <18846.1477416621@warthog.procyon.org.uk>
[not found] ` <18846.1477416621-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-10-25 18:13 ` James Bottomley
[not found] ` <1477419204.3079.60.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-10-25 18:22 ` Jann Horn
[not found] ` <20161025182206.GD24481@laptop.thejh.net>
[not found] ` <20161025182206.GD24481-GiL72Q0nGm9Crx9znvW9yA@public.gmane.org>
2016-10-25 18:25 ` James Bottomley
2016-10-26 4:45 ` Eric W. Biederman
[not found] ` <87y41bvhui.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-26 7:37 ` David Howells
2016-10-26 4:38 ` Eric W. Biederman
2016-10-26 11:43 ` David Howells
2016-10-25 16:20 David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1477414153.3079.36.camel@HansenPartnership.com \
--to=james.bottomley-d9phhud1jfjcxq6kfmz53/egyhegw8jk@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=eparis-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=simo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.