From: "Serge E. Hallyn" <serge@hallyn.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-kernel@vger.kernel.org,
containers@lists.linux-foundation.org, ebiederm@xmission.com,
"Serge E. Hallyn" <serge.hallyn@canonical.com>
Subject: Re: [RFC PATCH 01/14] add Documentation/namespaces/user_namespace.txt
Date: Thu, 14 Jul 2011 02:37:30 +0000 [thread overview]
Message-ID: <20110714023730.GA21662@hallyn.com> (raw)
In-Reply-To: <31047.1310561116@redhat.com>
Quoting David Howells (dhowells@redhat.com):
> Serge Hallyn <serge@hallyn.com> wrote:
Thanks for the detailed comments, David.
> > +... The user namespace allows tasks to
> > +have different views of the uids and gids associated with tasks and
> > +other resources.
>
> How does this relate to UIDs/GIDs stored on disk?
The current plan (see 'flexible uid mapping' at
https://wiki.ubuntu.com/UserNamespace) is:
The uid/gid stored on disk will be that in the init_user_ns. Most
likely uid/gid in other namespaces will be stored in xattrs. But
Eric was advocating (a few years ago) leaving the details up to
filesystems while providing a lib/ stock implementation. See the
thread around here
http://www.mail-archive.com/devel@openvz.org/msg09331.html
...
> > ... Opening such files will result in obtaining the 'user other'
> > permissions.
>
> How about "Permission to open such files will be granted according to the
> 'user other' permissions."?
>
> Do you mean 'user other' or just 'other'?
'user other'
> > ... UID comparisons will return false, and privilege will be denied.
>
> UID and GID both?
Right, GID also part of the user namespace.
> You should probably be consistent about using all 'UID/GID' or all 'uid/gid'.
> I prefer the former as it's an acronym, but that's up to you.
ok.
> > When a task belonging to userid 500 in the initial user namespace
>
> Is 500 special? Or is this just a worked example?
example.
...
> > Working notes
> > =============
> > capable checks for actions related to syslog must be against the
> > init_user_ns until syslog is containerized.
>
> Do you mean the 'capable' function? If so, I recommend you suffix it with
> '()'. Or did you mean 'Capability checks'?
I meant capability checks.
> > Same is true for reboot and power, control groups, devices, and time.
> >
> > Perf actions (kernel/event/core.c for instance) will always be
> > constrained to init_user_ns.
> >
> > Q:
> > Is accounting considered properly containerized wrt pidns? (it
> > appears to be). If so, then we can change the capable check in
>
> 'capability check' or 'capable() call'? Anyone reading this ought to know what
> capable() does.
Here I meant capable(). I definately see I need to be clearer.
> > kernel/acct.c to 'ns_capable(current_pid_ns()->user_ns, CAP_PACCT)'
> >
...
> > For drivers/tty/tty_io.c and drivers/tty/vt/vt.c, we'll want to (for
> > some of them) target at the user_ns owning the tty. That will have
> > to wait until we get userns owning files straightened out.
>
> Target what at the user_ns?
Target the capability check at the user_ns.
> > We need to figure out how to label devices. Should we just toss a user_ns
> > right into struct device?
>
> Would that isolate a device and make it exclusively accessible by that user_ns?
I think so, which is probably too restrictive until a devices namespace
can help us work around it when needed.
Thanks again,
-serge
next prev parent reply other threads:[~2011-07-14 2:37 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-12 23:30 [RFC PATCH 0/14] user namespaces: continue targetting capabilities Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 07/14] user namespace: use net->user_ns for some capable calls under net/ Serge Hallyn
[not found] ` <1310513452-13397-1-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-12 23:30 ` [RFC PATCH 01/14] add Documentation/namespaces/user_namespace.txt Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-13 12:45 ` David Howells
2011-07-14 2:37 ` Serge E. Hallyn [this message]
[not found] ` <31047.1310561116-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-07-14 2:37 ` Serge E. Hallyn
2011-07-12 23:30 ` [RFC PATCH 02/14] allow root in container to copy namespaces Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 03/14] keyctl: check capabilities against key's user_ns Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-13 16:04 ` David Howells
2011-07-12 23:30 ` [RFC PATCH 04/14] user_ns: convert fs/attr.c to targeted capabilities Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 05/14] userns: clamp down users of cap_raised Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 06/14] user namespace: make each net (net_ns) belong to a user_ns Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 07/14] user namespace: use net->user_ns for some capable calls under net/ Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 08/14] af_netlink.c: make netlink_capable userns-aware Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 09/14] user ns: convert ipv6 to targeted capabilities Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 10/14] net/core/scm.c: target capable() calls to user_ns owning the net_ns Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 11/14] userns: make some net-sysfs capable calls targeted Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 12/14] user_ns: target af_key capability check Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 13/14] userns: net: make many network capable calls targeted Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 14/14] net: pass user_ns to cap_netlink_recv() Serge Hallyn
2011-07-12 23:30 ` Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 08/14] af_netlink.c: make netlink_capable userns-aware Serge Hallyn
2011-07-13 1:33 ` Eric Dumazet
2011-07-13 2:02 ` Serge E. Hallyn
2011-07-13 2:02 ` Serge E. Hallyn
[not found] ` <1310513452-13397-9-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-13 1:33 ` Eric Dumazet
2011-07-12 23:30 ` [RFC PATCH 09/14] user ns: convert ipv6 to targeted capabilities Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 10/14] net/core/scm.c: target capable() calls to user_ns owning the net_ns Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 11/14] userns: make some net-sysfs capable calls targeted Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 12/14] user_ns: target af_key capability check Serge Hallyn
2011-07-12 23:30 ` [RFC PATCH 13/14] userns: net: make many network capable calls targeted Serge Hallyn
[not found] ` <1310513452-13397-2-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-13 12:45 ` [RFC PATCH 01/14] add Documentation/namespaces/user_namespace.txt David Howells
[not found] ` <1310513452-13397-4-git-send-email-serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2011-07-13 16:04 ` [RFC PATCH 03/14] keyctl: check capabilities against key's user_ns David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110714023730.GA21662@hallyn.com \
--to=serge@hallyn.com \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serge.hallyn@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.