From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Serge E. Hallyn" Subject: Re: [PATCH 0/5] RFC: CGroup Namespaces Date: Tue, 29 Jul 2014 18:06:56 +0200 Message-ID: <20140729160656.GA6980@mail.hallyn.com> References: <1405626731-12220-1-git-send-email-adityakali@google.com> <20140724163628.GN26600@ubuntumail> <20140729045159.GB31047@mail.hallyn.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Content-Disposition: inline In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Andy Lutomirski Cc: Linux API , Linux Containers , Serge Hallyn , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Ingo Molnar , Tejun Heo , cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org UXVvdGluZyBBbmR5IEx1dG9taXJza2kgKGx1dG9AYW1hY2FwaXRhbC5uZXQpOgo+IE9uIE1vbiwg SnVsIDI4LCAyMDE0IGF0IDk6NTEgUE0sIFNlcmdlIEUuIEhhbGx5biA8c2VyZ2VAaGFsbHluLmNv bT4gd3JvdGU6Cj4gPiBRdW90aW5nIEFkaXR5YSBLYWxpIChhZGl0eWFrYWxpQGdvb2dsZS5jb20p Ogo+ID4+IFRoYW5rIHlvdSBmb3IgeW91ciByZXZpZXcuIEkgaGF2ZSB0cmllZCB0byByZXNwb25k IHRvIGJvdGggeW91ciBlbWFpbHMgaGVyZS4KPiA+Pgo+ID4+IE9uIFRodSwgSnVsIDI0LCAyMDE0 IGF0IDk6MzYgQU0sIFNlcmdlIEhhbGx5biA8c2VyZ2UuaGFsbHluQHVidW50dS5jb20+IHdyb3Rl Ogo+ID4+ID4gUXVvdGluZyBBZGl0eWEgS2FsaSAoYWRpdHlha2FsaUBnb29nbGUuY29tKToKPiA+ PiA+PiBCYWNrZ3JvdW5kCj4gPj4gPj4gICBDZ3JvdXBzIGFuZCBOYW1lc3BhY2VzIGFyZSB1c2Vk IHRvZ2V0aGVyIHRvIGNyZWF0ZSDigJx2aXJ0dWFs4oCdCj4gPj4gPj4gICBjb250YWluZXJzIHRo YXQgaXNvbGF0ZXMgdGhlIGhvc3QgZW52aXJvbm1lbnQgZnJvbSB0aGUgcHJvY2Vzc2VzCj4gPj4g Pj4gICBydW5uaW5nIGluIGNvbnRhaW5lci4gQnV0IHNpbmNlIGNncm91cHMgdGhlbXNlbHZlcyBh cmUgbm90Cj4gPj4gPj4gICDigJx2aXJ0dWFsaXplZOKAnSwgdGhlIHRhc2sgaXMgYWx3YXlzIGFi bGUgdG8gc2VlIGdsb2JhbCBjZ3JvdXBzIHZpZXcKPiA+PiA+PiAgIHRocm91Z2ggY2dyb3VwZnMg bW91bnQgYW5kIHZpYSAvcHJvYy9zZWxmL2Nncm91cCBmaWxlLgo+ID4+ID4+Cj4gPj4gPiBIaSwK PiA+PiA+Cj4gPj4gPiBBIGZldyBxdWVzdGlvbnMvY29tbWVudHM6Cj4gPj4gPgo+ID4+ID4gMS4g QmFzZWQgb24gdGhpcyBkZXNjcmlwdGlvbiwgYW0gSSB0byB1bmRlcnN0YW5kIHRoYXQgYWZ0ZXIg ZG9pbmcgYQo+ID4+ID4gICAgY2dyb3VwbnMgdW5zaGFyZSwgJ21vdW50IC10IGNncm91cCBjZ3Jv dXAgL21udCcgYnkgZGVmYXVsdCB3aWxsCj4gPj4gPiAgICBzdGlsbCBtb3VudCB0aGUgZ2xvYmFs IHJvb3QgY2dyb3VwPyAgQW55IHBsYW5zIG9uICJjaGFuZ2luZyIgdGhhdD8KPiA+Pgo+ID4+IFRo aXMgaXMgc3VnZ2VzdGVkIGluIHRoZSAiUG9zc2libGUgRXh0ZW5zaW9ucyBvZiBDR1JPVVBOUyIg c2VjdGlvbi4KPiA+PiBNb3JlIGRldGFpbHMgYmVsb3cuCj4gPj4KPiA+PiA+ICAgIFdpbGwgYXR0 ZW1wdHMgdG8gY2hhbmdlIHNldHRpbmdzIG9mIGEgY2dyb3VwIHdoaWNoIGlzIG5vdCB1bmRlcgo+ ID4+ID4gICAgb3VyIGN1cnJlbnQgbnMgYmUgcmVqZWN0ZWQ/ICAoVGhhdCBzaG91bGQgYmUgZWFz eSB0byBkbyBnaXZlbiB5b3VyCj4gPj4gPiAgICBwYXRjaCAxLzUpLiAgU29ycnkgaWYgaXQncyBk b25lIGluIHRoZSBzZXQsIEknbSBqdW1waW5nIGFyb3VuZC4uLgo+ID4+ID4KPiA+Pgo+ID4+IEN1 cnJlbnRseSwgb25seSAnY2dyb3VwX2F0dGFjaF90YXNrJywgJ2Nncm91cF9ta2RpcicgYW5kCj4g Pj4gJ2Nncm91cF9ybWRpcicgb2YgY2dyb3VwcyBvdXRzaWRlIG9mIGNncm91cG5zLXJvb3QgYXJl IHByZXZlbnRlZC4gVGhlCj4gPj4gcmVhZC93cml0ZSBvZiBhY3R1YWwgY2dyb3VwIHByb3BlcnRp ZXMgYXJlIG5vdCBwcmV2ZW50ZWQuIFVzdWFsCj4gPj4gcGVybWlzc2lvbiBjaGVja3MgY29udGlu dWUgdG8gYXBwbHkgZm9yIHRob3NlLiBJIHdhcyBob3BpbmcgdGhhdAo+ID4+IHNob3VsZCBiZSBl bm91Z2gsIGJ1dCBzZWUgbW9yZSBjb21tZW50cyB0b3dhcmRzIHRoZSBlbmQuCj4gPj4KPiA+PiA+ IDIuIFdoYXQgd291bGQgYmUgdGhlIHJlcHJlY3Vzc2lvbnMgb2YgYWxsb3dpbmcgY2dyb3VwbnMg dW5zaGFyZSBzbwo+ID4+ID4gICAgbG9uZyBhcyB5b3UgaGF2ZSBuc19jYXBhYmxlKENBUF9TWVNf QURNSU4pIHRvIHRoZSB1c2VyX25zIHdoaWNoCj4gPj4gPiAgICBjcmVhdGVkIHlvdXIgY3VycmVu dCBucyBjZ3JvdXA/ICBJdCdkIGJlIGEgc2hhbWUgaWYgdGhhdCB3YXNuJ3QKPiA+PiA+ICAgIG9u IHRoZSByb2FkbWFwLgo+ID4+ID4KPiA+Pgo+ID4+IEl0cyBjZXJ0YWlubHkgb24gdGhlIHJvYWRt YXAsIGp1c3QgdGhhdCBzb21lIGxvZ2lzdGljcyB3ZXJlIG5vdCBjbGVhcgo+ID4+IGF0IHRoaXMg dGltZS4gQXMgcG9pbnRlZCBvdXQgYnkgQW5keSBMdXRvbWlyc2tpIG9uIFtQQVRDSCA1LzVdIG9m IHRoaXMKPiA+PiBzZXJpZXMsIGlmIHdlIGFsbG93IGNncm91cG5zIGNyZWF0aW9uIHRvIG5zX2Nh cGFibGUoQ0FQX1NZU19BRE1JTikKPiA+PiBwcm9jZXNzZXMsIHdlIG1heSBuZWVkIHNvbWUga2lu ZCBvZiBleHBsaWNpdCBwZXJtaXNzaW9uIGZyb20gdGhlCj4gPj4gY2dyb3VwIHN1YnN5c3RlbSB0 byBhbGxvdyB0aGlzLiBPbmUgYXBwcm9hY2ggY291bGQgYmUgYW4gZXhwbGljaXQKPiA+Cj4gPiBT byBsb25nIGFzIHlvdSBkbyBuc19jYXBhYmxlKGNncm91cF9ucy0+dXNlcl9ucywgQ0FQX1NZU19B RE1JTikgSSB0aGluawo+ID4geW91J3JlIGZpbmUuCj4gPgo+ID4gVGhlIG9ubHkgcmVhbCBwcm9i bGVtIEkgY2FuIHRoaW5rIG9mIHdpdGggdW5zaGFyaW5nIGEgY2dyb3VwX25zIGlzIHRoYXQKPiA+ IHlvdSBjb3VsZCBsb2NrIGEgc2V0dWlkLXJvb3QgYXBwbGljYXRpb24gc29tZXBsYWNlIGl0IHdh c24ndCBleHBlY3RpbmcuCj4gPiBUaGUgYWJvdmUgY2hlY2sgZ3VhcmFudGVlcyB0aGF0IHlvdSB3 ZXJlIHByaXZpbGVnZWQgZW5vdWdoIHRoYXQgeW91J2QKPiA+IGJldHRlciBiZSB0cnVzdGVkIGlu IHRoaXMgdXNlciBuYW1lc3BhY2UuCj4gPgo+ID4gKFVubGVzcyB0aGVyZSBpcyBzb21lIHBvc3Np YmxlIGludGVyYWN0aW9uIEknbSBvdmVybG9va2luZykKPiAKPiBJIHRoaW5rIHRoYXQsIGlmIGl0 J3MgZG9uZSB0aGlzIHdheSwgeW91J2QgaGF2ZSB0byB1bnNoYXJlIGNncm91cG5zCj4gYmVmb3Jl IHVuc2hhcmluZyB1c2VybnMsIHNpbmNlIHlvdSBmb3JmZWl0IHRoYXQgY2FwYWJpbGl0eSB3aGVu IHlvdQo+IHVuc2hhcmUgeW91ciB1c2VybnMuICBUaGF0IG1lYW5zIHRoYXQgdGhlIG5ldyBjZ3Jv dXBucyBlbmRzIHVwIGJlaW5nCj4gYXNzb2NpYXRlZCB3LyB0aGUgcm9vdCB1c2VybnMsIHdoaWNo IG1heSBub3QgYmUgd2hhdCB5b3Ugd2FudC4KPiAKPiBZb3UgY291bGQgdW5zaGFyZSBib3RoIG5h bWVzcGFjZXMgaW4gb25lIHN5c2NhbGwgYW5kIGdpdmUgdGhhdCBzb21lCj4gbWFnaWMgc2VtYW50 aWNzLCBidXQgdGhhdCdzIGtpbmQgb2Ygd2VpcmQuICBJdCB3b3VsZCBiZSBuaWNlIGlmIHlvdQo+ IGNvdWxkIHVuc2hhcmUgeW91ciB1c2VybnMgYW5kIHRlbXBvcmFyaWx5IHJldGFpbnMgY2FwcyBp biB0aGUgcGFyZW50LAo+IGJ1dCB0aGVyZSBpcyBubyBzdWNoIG1lY2hhbmlzbSByaWdodCBub3cu CgpIbSwgZ29vZCBwb2ludC4KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX18KQ29udGFpbmVycyBtYWlsaW5nIGxpc3QKQ29udGFpbmVyc0BsaXN0cy5saW51eC1m b3VuZGF0aW9uLm9yZwpodHRwczovL2xpc3RzLmxpbnV4Zm91bmRhdGlvbi5vcmcvbWFpbG1hbi9s aXN0aW5mby9jb250YWluZXJz From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753738AbaG2QHA (ORCPT ); Tue, 29 Jul 2014 12:07:00 -0400 Received: from static.92.5.9.176.clients.your-server.de ([176.9.5.92]:45874 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751291AbaG2QG7 (ORCPT ); Tue, 29 Jul 2014 12:06:59 -0400 Date: Tue, 29 Jul 2014 18:06:56 +0200 From: "Serge E. Hallyn" To: Andy Lutomirski Cc: "Serge E. Hallyn" , Aditya Kali , Serge Hallyn , Linux API , Linux Containers , "linux-kernel@vger.kernel.org" , Tejun Heo , cgroups@vger.kernel.org, Ingo Molnar Subject: Re: [PATCH 0/5] RFC: CGroup Namespaces Message-ID: <20140729160656.GA6980@mail.hallyn.com> References: <1405626731-12220-1-git-send-email-adityakali@google.com> <20140724163628.GN26600@ubuntumail> <20140729045159.GB31047@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Quoting Andy Lutomirski (luto@amacapital.net): > On Mon, Jul 28, 2014 at 9:51 PM, Serge E. Hallyn wrote: > > Quoting Aditya Kali (adityakali@google.com): > >> Thank you for your review. I have tried to respond to both your emails here. > >> > >> On Thu, Jul 24, 2014 at 9:36 AM, Serge Hallyn wrote: > >> > Quoting Aditya Kali (adityakali@google.com): > >> >> Background > >> >> Cgroups and Namespaces are used together to create “virtual” > >> >> containers that isolates the host environment from the processes > >> >> running in container. But since cgroups themselves are not > >> >> “virtualized”, the task is always able to see global cgroups view > >> >> through cgroupfs mount and via /proc/self/cgroup file. > >> >> > >> > Hi, > >> > > >> > A few questions/comments: > >> > > >> > 1. Based on this description, am I to understand that after doing a > >> > cgroupns unshare, 'mount -t cgroup cgroup /mnt' by default will > >> > still mount the global root cgroup? Any plans on "changing" that? > >> > >> This is suggested in the "Possible Extensions of CGROUPNS" section. > >> More details below. > >> > >> > Will attempts to change settings of a cgroup which is not under > >> > our current ns be rejected? (That should be easy to do given your > >> > patch 1/5). Sorry if it's done in the set, I'm jumping around... > >> > > >> > >> Currently, only 'cgroup_attach_task', 'cgroup_mkdir' and > >> 'cgroup_rmdir' of cgroups outside of cgroupns-root are prevented. The > >> read/write of actual cgroup properties are not prevented. Usual > >> permission checks continue to apply for those. I was hoping that > >> should be enough, but see more comments towards the end. > >> > >> > 2. What would be the reprecussions of allowing cgroupns unshare so > >> > long as you have ns_capable(CAP_SYS_ADMIN) to the user_ns which > >> > created your current ns cgroup? It'd be a shame if that wasn't > >> > on the roadmap. > >> > > >> > >> Its certainly on the roadmap, just that some logistics were not clear > >> at this time. As pointed out by Andy Lutomirski on [PATCH 5/5] of this > >> series, if we allow cgroupns creation to ns_capable(CAP_SYS_ADMIN) > >> processes, we may need some kind of explicit permission from the > >> cgroup subsystem to allow this. One approach could be an explicit > > > > So long as you do ns_capable(cgroup_ns->user_ns, CAP_SYS_ADMIN) I think > > you're fine. > > > > The only real problem I can think of with unsharing a cgroup_ns is that > > you could lock a setuid-root application someplace it wasn't expecting. > > The above check guarantees that you were privileged enough that you'd > > better be trusted in this user namespace. > > > > (Unless there is some possible interaction I'm overlooking) > > I think that, if it's done this way, you'd have to unshare cgroupns > before unsharing userns, since you forfeit that capability when you > unshare your userns. That means that the new cgroupns ends up being > associated w/ the root userns, which may not be what you want. > > You could unshare both namespaces in one syscall and give that some > magic semantics, but that's kind of weird. It would be nice if you > could unshare your userns and temporarily retains caps in the parent, > but there is no such mechanism right now. Hm, good point.