From mboxrd@z Thu Jan  1 00:00:00 1970
From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
Subject: Re: [PATCH review 52/85] sunrpc: Properly encode kuids and kgids in
	auth.unix.gid rpc pipe upcalls.
Date: Thu, 14 Feb 2013 00:42:20 -0800
Message-ID: <877gmbguc3.fsf@xmission.com>
References: <87621w14vs.fsf@xmission.com>
	<1360777934-5663-1-git-send-email-ebiederm@xmission.com>
	<1360777934-5663-52-git-send-email-ebiederm@xmission.com>
	<20130213210545.GO14195@fieldses.org> <874nhfrjgg.fsf@xmission.com>
	<20130213215047.GR14195@fieldses.org> <8738wzq1z6.fsf@xmission.com>
	<20130213225840.GV14195@fieldses.org> <87ip5vn6iv.fsf@xmission.com>
	<511C8E50.8080007@parallels.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
In-Reply-To: <511C8E50.8080007-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> (Stanislav Kinsbursky's message
	of "Thu, 14 Feb 2013 11:12:16 +0400")
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/containers>,
	<mailto:containers-request-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/containers/>
List-Post: <mailto:containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
List-Help: <mailto:containers-request-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/containers>,
	<mailto:containers-request-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org?subject=subscribe>
Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
To: Stanislav Kinsbursky <skinsbursky-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
Cc: Linux Containers <containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>, Trond Myklebust <Trond.Myklebust-HgOvQuBEEgTQT0dZR+AlfA@public.gmane.org>, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, "J. Bruce Fields" <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
List-Id: containers.vger.kernel.org

U3RhbmlzbGF2IEtpbnNidXJza3kgPHNraW5zYnVyc2t5QHBhcmFsbGVscy5jb20+IHdyaXRlczoK
Cj4gMTQuMDIuMjAxMyAwMzoyMiwgRXJpYyBXLiBCaWVkZXJtYW4g0L/QuNGI0LXRgjoKCj4gSG1t
bS4uLgo+IE1heWJlIEknbSBtaXNzaW5nIHRoZSBwb2ludCBvZiB1c2VyIG5hbWVzcGFjZXMsIGJ1
dCBzaW5jZSBORlMga2VybmVsIHNlcnZlcgo+IGlzIGNvbnRyb2xsZWQgdmlhIE5GU2QgZmlsZSBz
eXN0ZW0gd3JpdGUgY2FsbHMsIG1heWJlIGl0IHdvdWxkIGJlIGJldHRlciB0byBhZGQ6Cj4KPiAu
ZnNfZmxhZ3MgPSBGU19VU0VSTlNfTU9VTlQKPgo+IHRvIGl0IGFuZCBhZGQgY2hlY2s6Cj4KPiAr
CWlmIChuZXQtPnVzZXJfbnMgIT0gY3VycmVudF91c2VyX25zKCkpCj4gKwkJcmV0dXJuIC1FSU5W
QUw7Cj4KPiBObz8KCk5vdCByZWFsbHkuICBUaGUgaW1tZWRpYXRlIGdvYWwgaXMgdG8ganVzdCB1
c2Uga3VpZF90IGFuZCBrZ2lkX3QgaW5zdGVhZApvZiB1aWRfdCBhbmQgZ2lkX3QgdGhyb3VnaG91
dCB0aGUga2VybmVsLiAgVGhhdCBlbnN1cmVzIHNvbWVvbmUgaGFzbid0Cm1pc3NlZCBhIGNhc2Ug
YW5kIGlzIGdldHRpbmcgYSB1aWQgaW4gb25lIG5hbWVzcGFjZSBjb25mdXNlZCB3aXRoIGEgdWlk
CmluIGFub3RoZXIuICBBbmQgdGhhdCBpcyBuZWVkZWQgdG8gbWFrZSBpdCBzYWZlIHRvIGVuYWJs
ZSBuZnMgYW5kIG5mc2QKc3VwcG9ydCB3aGVuIHVzZXIgbmFtZXNwYWNlIHN1cHBvcnQgaXMgZW5h
YmxlZCBpbiB0aGUga2VybmVsLgoKU28gYXQgdGhlIGJhc2ljIGxldmVsIEkgaGF2ZSBtYWRlIHRo
ZSBhc3N1bXB0aW9uIHRoYXQgYWxsIG5mcyBhY3Rpdml0eQpoYXBwZW5zIGluIHRoZSBpbml0aWFs
IHVzZXIgbmFtZXNwYWNlIGFuZCBoYXZlIG1hZGUgY29udmVyc2lvbnMgdG8vZnJvbQp0aGUgaW5p
dGlhbCB1c2VyIG5hbWVzcGFjZSB0aHJvdWdob3V0IHRoZSBuZnMgYW5kIG5mc2QgY29kZS4KCldl
IGNhbiBhZGQgRlNfVVNFUk5TX01PVU5UIHdoZW4gd2UgYXJlIHJlYWR5IHRvIHN1cHBvcnQgcnVu
bmluZyBpbgptdWx0aXBsZSB1c2VyIG5hbWVzcGFjZXMuICBGb3Igbm93IG5vdCBhbGxvd2luZyBt
b3VudHMgb3V0c2lkZSBvZiB0aGUKaW5pdGlhbCB1c2VyIG5hbWVzcGFjZSBlbnN1cmVzIHRoYXQg
dGhlIG5mcyBjbGllbnQgY29kZSBpcyBhbHdheXMKaW4gdGhlIGluaXRpYWwgdXNlciBuYW1lc3Bh
Y2UgYW5kIHRoYXQgdGhlIG5mcyBzZXJ2ZXIgY29kZSBpcyBhbHdheXMKZGVhbGluZyB3aXRoIGlk
cyBpbiB0aGUgaW5pdGlhbCB1c2VyIG5hbWVzcGFjZS4KClN0YW5pc2xhdiBldmVuIHdpdGggeW91
ciBwZW5kaW5nIHBhdGNoZXMgaXQgd29uJ3QgYmUgcG9zc2libGUgdG8gbW91bnQgYQpuZnNkIHdo
cmUgbmV0LT51c2VyX25zICE9IGluaXRfdXNlcm5zLiAgU28gbm8gYnVncyB3aWxsIHJlc3VsdCBp
biB0aGUKY29tYmluYXRpb24gb2Ygb3VyIHBhdGNoZXMuICBUaGUgb25lIGNhc2UgSSB3YXMgd29y
cmllZCBhYm91dCB3YXMKZnMvbmZzL2V4cG9ydHMuICBCdXQgc2luY2UgdGhhdCBpcyByZWFkLW9u
bHkgaXQgY3JlYXRlcyBubyBwcm9ibGVtcy4KCgpUaGUgYmlnIHRoaW5ncyB1c2VyIG5hbWVzcGFj
ZXMgYWxsb3cgKGJlc2lkZXMgdWlkIGFuZCBnaWQgbWFwcGluZykgaXMgYQpjb250ZXh0IHdoZXJl
IHVucHJpdmlsZWdlZCB1c2VycyBjYW4gY3JlYXRlIGNvbnRhaW5lcnMuICBUaG9zZQpjb250YWlu
ZXJzIGNhbiBtb3VudCBhbmQgdW5tb3VudCBmaWxlc3lzdGVtcyBhbmQgaGF2ZSBhIHJvb3QgdXNl
ci4gIEJ1dAp0aGF0IHJvb3QgdXNlcnMgZG9lcyBub3QgaGF2ZSBnbG9iYWwgdWlkID09IDAsIG5v
ciBkb2VzIHRoYXQgcm9vdCB1c2VyCmhhdmUgYW55IGdsb2JhbCBjYXBhYmlsaXRpZXMuICBUaGUg
cm9vdCB1c2VyIG9ubHkgaGFzIGNhcGFiaWxpdGllcyBvdmVyCm9iamVjdHMgY3JlYXRlZCBpbiB0
aGF0IHVzZXIgbmFtZXNwYWNlLiAgV2hpY2ggY2FuIGluY2x1ZGUgbmV0d29yawpuYW1lc3BhY2Vz
IGV0Yy4KCgoKCk5vdyBhbGwgb2YgdGhhdCBzYWlkIGFuZCBkb25lIHdoZW4gd2UgZG8gc3RhcnQg
c3VwcG9ydGluZyB1c2VyCm5hbWVzcGFjZXMgaW4gbmZzIChzb21ldGhpbmcgdGhhdCBsb29rcyBj
b21wYXJpdGl2ZWx5IHNpbXBsZSBhZnRlciB5b3VyCnJlY2VudCB3b3JrIHRvIG1ha2UgbmZzIGFu
ZCBuZnNkIG5ldHdvcmsgbmFtZXNwYWNlIGF3YXJlKSBJIGV4cGVjdCB0aGUKbW91bnQgZm9yIG5m
c2QgYW5kIG5mcyB3aWxsIHdhbnQgdG8gZG86CglpZiAobmV0LT51c2VyX25zICE9IGN1cnJlbnRf
dXNlcl9ucygpKQogICAgICAgIAlyZXR1cm4gLUVJTlZBTDsKCkkgY2FuJ3Qgc2VlIGFueSBvdGhl
ciBjYXNlcyBhY3R1YWxseSBtYWtpbmcgc2Vuc2UuICBJZiB3ZSBhcmUgaW4gYW4KYW5jZXN0b3Ig
dXNlciBuYW1lc3BhY2Ugb2YgbmV0LT51c2VyX25zIHdlIGFyZSBvayBwZXJtaXNzaW9uIHdpc2UK
YnV0IHRvdGFsbHkgd2UgYXJlIGluIGEgdG90YWxseSBjb25mdXNlZCBzdGF0ZSB3aXRoIHJlc3Bl
Y3QgdG8gd2hpY2gKcGVybWlzc2lvbiB0byB0YWxrLiAgSWYgd2UgYXJlIGluIGEgZGVzY2VuZGVu
dCB1c2VyIG5hbWVzcGFjZSB3ZSBzaG91bGQKbm90IGhhdmUgdGhlIHBlcm1pc3Npb25zIHRvIHBv
dGVudGlhbGx5IGRhbmdlcm91cyB0aGluZ3MuCgpXaGljaCBzaG91bGQgbWFrZSBmb3IgYSB2ZXJ5
IHZlcnkgc2ltcGxlIGNvbnZlcnNpb24gd2hlbiB0byBnZXQgbmZzCnJ1bm5pbmcgaW4gbXVsdGlw
bGUgdXNlciBuYW1lc3BhY2VzIGZvciAzLjEwIGFzIHdlIGNhbiBqdXN0IHJlcGxhY2UKJmluaXRf
bmV0IHdpdGggbmV0LT51c2VyX25zIGV2ZXJ5d2hlcmUuCgpFcmljCl9fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCkNvbnRhaW5lcnMgbWFpbGluZyBsaXN0CkNv
bnRhaW5lcnNAbGlzdHMubGludXgtZm91bmRhdGlvbi5vcmcKaHR0cHM6Ly9saXN0cy5saW51eGZv
dW5kYXRpb24ub3JnL21haWxtYW4vbGlzdGluZm8vY29udGFpbmVycw==

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756546Ab3BNImc (ORCPT <rfc822;w@1wt.eu>);
	Thu, 14 Feb 2013 03:42:32 -0500
Received: from out02.mta.xmission.com ([166.70.13.232]:35436 "EHLO
	out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756353Ab3BNIma convert rfc822-to-8bit (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 14 Feb 2013 03:42:30 -0500
From: ebiederm@xmission.com (Eric W. Biederman)
To: Stanislav Kinsbursky <skinsbursky@parallels.com>
Cc: "J. Bruce Fields" <bfields@fieldses.org>, <linux-fsdevel@vger.kernel.org>,
        Linux Containers <containers@lists.linux-foundation.org>,
        <linux-kernel@vger.kernel.org>, "Serge E. Hallyn" <serge@hallyn.com>,
        "Trond Myklebust" <Trond.Myklebust@netapp.com>
References: <87621w14vs.fsf@xmission.com>
	<1360777934-5663-1-git-send-email-ebiederm@xmission.com>
	<1360777934-5663-52-git-send-email-ebiederm@xmission.com>
	<20130213210545.GO14195@fieldses.org> <874nhfrjgg.fsf@xmission.com>
	<20130213215047.GR14195@fieldses.org> <8738wzq1z6.fsf@xmission.com>
	<20130213225840.GV14195@fieldses.org> <87ip5vn6iv.fsf@xmission.com>
	<511C8E50.8080007@parallels.com>
Date: Thu, 14 Feb 2013 00:42:20 -0800
In-Reply-To: <511C8E50.8080007@parallels.com> (Stanislav Kinsbursky's message
	of "Thu, 14 Feb 2013 11:12:16 +0400")
Message-ID: <877gmbguc3.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8BIT
X-XM-AID: U2FsdGVkX1+LSRW75tqRB05H1KI/hVhJRj3ydGoMW/s=
X-SA-Exim-Connect-IP: 98.207.153.68
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  3.0 XMDrug1234561 Drug references
	*  0.1 XMSubLong Long Subject
	*  0.0 T_TM2_M_HEADER_IN_MSG BODY: T_TM2_M_HEADER_IN_MSG
	* -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%
	*      [score: 0.1149]
	* -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
	*      [sa05 1397; Body=1 Fuz1=1 Fuz2=1]
	*  0.0 T_TooManySym_01 4+ unique symbols in subject
	*  2.2 XMSubMetaSxObfu_03 Obfuscated Sexy Noun-People
	*  0.0 T_XMDrugObfuBody_08 obfuscated drug references
	*  1.6 XMSubMetaSx_00 1+ Sexy Words
X-Spam-DCC: XMission; sa05 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ******;Stanislav Kinsbursky <skinsbursky@parallels.com>
X-Spam-Relay-Country: 
Subject: Re: [PATCH review 52/85] sunrpc: Properly encode kuids and kgids in auth.unix.gid rpc pipe upcalls.
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Wed, 14 Nov 2012 14:26:46 -0700)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Stanislav Kinsbursky <skinsbursky@parallels.com> writes:

> 14.02.2013 03:22, Eric W. Biederman пишет:

> Hmmm...
> Maybe I'm missing the point of user namespaces, but since NFS kernel server
> is controlled via NFSd file system write calls, maybe it would be better to add:
>
> .fs_flags = FS_USERNS_MOUNT
>
> to it and add check:
>
> +	if (net->user_ns != current_user_ns())
> +		return -EINVAL;
>
> No?

Not really.  The immediate goal is to just use kuid_t and kgid_t instead
of uid_t and gid_t throughout the kernel.  That ensures someone hasn't
missed a case and is getting a uid in one namespace confused with a uid
in another.  And that is needed to make it safe to enable nfs and nfsd
support when user namespace support is enabled in the kernel.

So at the basic level I have made the assumption that all nfs activity
happens in the initial user namespace and have made conversions to/from
the initial user namespace throughout the nfs and nfsd code.

We can add FS_USERNS_MOUNT when we are ready to support running in
multiple user namespaces.  For now not allowing mounts outside of the
initial user namespace ensures that the nfs client code is always
in the initial user namespace and that the nfs server code is always
dealing with ids in the initial user namespace.

Stanislav even with your pending patches it won't be possible to mount a
nfsd whre net->user_ns != init_userns.  So no bugs will result in the
combination of our patches.  The one case I was worried about was
fs/nfs/exports.  But since that is read-only it creates no problems.


The big things user namespaces allow (besides uid and gid mapping) is a
context where unprivileged users can create containers.  Those
containers can mount and unmount filesystems and have a root user.  But
that root users does not have global uid == 0, nor does that root user
have any global capabilities.  The root user only has capabilities over
objects created in that user namespace.  Which can include network
namespaces etc.




Now all of that said and done when we do start supporting user
namespaces in nfs (something that looks comparitively simple after your
recent work to make nfs and nfsd network namespace aware) I expect the
mount for nfsd and nfs will want to do:
	if (net->user_ns != current_user_ns())
        	return -EINVAL;

I can't see any other cases actually making sense.  If we are in an
ancestor user namespace of net->user_ns we are ok permission wise
but totally we are in a totally confused state with respect to which
permission to talk.  If we are in a descendent user namespace we should
not have the permissions to potentially dangerous things.

Which should make for a very very simple conversion when to get nfs
running in multiple user namespaces for 3.10 as we can just replace
&init_net with net->user_ns everywhere.

Eric