* As we move to use Linux Containers User Namespace @ 2014-01-15 21:04 Daniel J Walsh 2014-01-15 23:25 ` Eric Paris 0 siblings, 1 reply; 5+ messages in thread From: Daniel J Walsh @ 2014-01-15 21:04 UTC (permalink / raw) To: SELinux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think we need the kernel to start checking container Capabilities rather then system capabilities. I would like to be able to say something like allow svirt_lxc_net_t self:nscapability sys_admin; This way we can use MAC to better control break out of user namespace. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLW998ACgkQrlYvE4MpobP6IgCglpmgF8XKjr1W1xzPU6eGU6k+ h8EAniQwwEhMAOeAy4e1NUw/8o2h/oWs =g8UL -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: As we move to use Linux Containers User Namespace 2014-01-15 21:04 As we move to use Linux Containers User Namespace Daniel J Walsh @ 2014-01-15 23:25 ` Eric Paris 2014-01-15 23:34 ` William Roberts 2014-01-16 13:24 ` Paul Moore 0 siblings, 2 replies; 5+ messages in thread From: Eric Paris @ 2014-01-15 23:25 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux Just to blow everyone's minds: The first thought that came to me was that the only way to make this useful is to actually put a label on the user namespace. If I create a container, and then a container inside that container, I'd think selinux should be able to control the capabilities at the second level down. Dan's only asking about one level down... On Wed, Jan 15, 2014 at 4:04 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I think we need the kernel to start checking container Capabilities rather > then system capabilities. > > I would like to be able to say something like > > allow svirt_lxc_net_t self:nscapability sys_admin; > > This way we can use MAC to better control break out of user namespace. > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlLW998ACgkQrlYvE4MpobP6IgCglpmgF8XKjr1W1xzPU6eGU6k+ > h8EAniQwwEhMAOeAy4e1NUw/8o2h/oWs > =g8UL > -----END PGP SIGNATURE----- > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: As we move to use Linux Containers User Namespace 2014-01-15 23:25 ` Eric Paris @ 2014-01-15 23:34 ` William Roberts 2014-01-16 13:24 ` Paul Moore 1 sibling, 0 replies; 5+ messages in thread From: William Roberts @ 2014-01-15 23:34 UTC (permalink / raw) To: Eric Paris; +Cc: SELinux Booom...mind is blown. namespaces are kernel resources, and labeling them has been working so far. On Wed, Jan 15, 2014 at 6:25 PM, Eric Paris <eparis@parisplace.org> wrote: > Just to blow everyone's minds: The first thought that came to me was > that the only way to make this useful is to actually put a label on > the user namespace. > > If I create a container, and then a container inside that container, > I'd think selinux should be able to control the capabilities at the > second level down. Dan's only asking about one level down... > > On Wed, Jan 15, 2014 at 4:04 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I think we need the kernel to start checking container Capabilities rather >> then system capabilities. >> >> I would like to be able to say something like >> >> allow svirt_lxc_net_t self:nscapability sys_admin; >> >> This way we can use MAC to better control break out of user namespace. >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iEYEARECAAYFAlLW998ACgkQrlYvE4MpobP6IgCglpmgF8XKjr1W1xzPU6eGU6k+ >> h8EAniQwwEhMAOeAy4e1NUw/8o2h/oWs >> =g8UL >> -----END PGP SIGNATURE----- >> _______________________________________________ >> Selinux mailing list >> Selinux@tycho.nsa.gov >> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. -- Respectfully, William C Roberts ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: As we move to use Linux Containers User Namespace 2014-01-15 23:25 ` Eric Paris 2014-01-15 23:34 ` William Roberts @ 2014-01-16 13:24 ` Paul Moore 2014-01-26 16:04 ` Serge E. Hallyn 1 sibling, 1 reply; 5+ messages in thread From: Paul Moore @ 2014-01-16 13:24 UTC (permalink / raw) To: selinux On Wednesday, January 15, 2014 06:25:05 PM Eric Paris wrote: > Just to blow everyone's minds: The first thought that came to me was > that the only way to make this useful is to actually put a label on > the user namespace. > > If I create a container, and then a container inside that container, > I'd think selinux should be able to control the capabilities at the > second level down. Dan's only asking about one level down... Turtles all the way down. If we are going to do it for one level, we should do it for all levels. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: As we move to use Linux Containers User Namespace 2014-01-16 13:24 ` Paul Moore @ 2014-01-26 16:04 ` Serge E. Hallyn 0 siblings, 0 replies; 5+ messages in thread From: Serge E. Hallyn @ 2014-01-26 16:04 UTC (permalink / raw) To: Paul Moore; +Cc: selinux Quoting Paul Moore (paul@paul-moore.com): > On Wednesday, January 15, 2014 06:25:05 PM Eric Paris wrote: Note first off that you'll rarely want to check for capabilities against yourself, because any unprivileged task can unshare a new user namespace with his own (host) uid mapped to root in the new namespace, and pass that test. However, checking for capabilities against an open file (meaning a inode_capable() check) makes sense. > > Just to blow everyone's minds: The first thought that came to me was > > that the only way to make this useful is to actually put a label on > > the user namespace. > > > > If I create a container, and then a container inside that container, > > I'd think selinux should be able to control the capabilities at the > > second level down. Dan's only asking about one level down... (Not sure whether you mean up or down? :) > Turtles all the way down. > > If we are going to do it for one level, we should do it for all levels. Speaking in non-selinux terms, it would make sense to simply ask whether task T1 has Capability C1 against object O1, where O1 is a task, a nic, a file, a mountpoint, etc. Referring to a specific user namespace by its own label would be awkward, I believe. I'm not sure how to put that in selinux terms, since labels will certainly cross namespaces. -serge ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-01-26 16:04 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-01-15 21:04 As we move to use Linux Containers User Namespace Daniel J Walsh 2014-01-15 23:25 ` Eric Paris 2014-01-15 23:34 ` William Roberts 2014-01-16 13:24 ` Paul Moore 2014-01-26 16:04 ` Serge E. Hallyn
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.