From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kirill Korotaev Subject: Re: Containers don't handle keys, but should they? Date: Fri, 14 Mar 2008 14:44:38 +0300 Message-ID: <47DA6526.1000107@parallels.com> References: <7519.1205494679@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <7519.1205494679-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: David Howells Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org List-Id: containers.vger.kernel.org yes. If I understand correct key management requires containerization (i.e. "virtualization") as well other subsystems like IPC dealing with IDs. Processes from one container should not be able to access keys from another container. David Howells wrote: > Am I right in thinking that a UID in one container is not necessarily > equivalent to the numerically equivalent UID in another container? > > If that's the case then the key management code will need changing as it > assumes all keys belonging to one numeric UID eat out of the same quota and > the numeric UIDs are used in security checks. > > Furthermore, processes in one container can access keys created by a process > in another container by ID. Is this desirable or not? > > David > _______________________________________________ > Containers mailing list > Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org > https://lists.linux-foundation.org/mailman/listinfo/containers >