From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Janne Karhunen <janne.karhunen-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Subject: Re: [PATCH] Use CAP_SYS_RESOURCE as magic for escaping user namespaces.
Date: Tue, 07 May 2013 11:38:37 -0700 [thread overview]
Message-ID: <87fvxy8wk2.fsf@xmission.com> (raw)
In-Reply-To: <CAE=NcrakiaDPRXJTQz770JNcYw9xbBJcEfCHsap-MGhkT8z2gQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Janne Karhunen's message of "Tue, 7 May 2013 21:14:42 +0300")
Janne Karhunen <janne.karhunen-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
> On Tue, May 7, 2013 at 8:10 PM, Serge E. Hallyn <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org> wrote:
>
>> Uh, I would say nack, and if you need this then a device
>> namespace allowing you to 'pass' devices similarly to how you
>> pass a physical nic to a child netns is a part of the answer.
>
> Hmm, 'slight' issue is that it does not really exist and that ns
> can not even be properly specified as functionality (we tried
> that earlier didn't we - everyone had different opinion on what
> that ns should really do).
So far it appears that we don't need a device namespace. As for most
things the usual DAC permissions apply.
The exceptions that I am aware of where we need something extra are
cases where the device abstraction is simply insufficient and needs
to be improved.
You can pass real network devices between network namespaces.
>> Your goals are not 100% clear to me. What is it about a user
>> namespace that you want?
>
> I'm trying to experiment with a system that has init_ns size
> of one tiny task and apart from that everything runs inside
> containers. Because of this I need a way to elevate rights
> of certain trusted applications inside user namespaces so
> that they could operate against things requesting rights
> from init ns.
It will never be acceptable for tasks in a user namespace to have
any rights outside of that user namespace. Elevating rights is the
wrong model.
The model very much needs to be how do we make a device safe for use by
an unprivielged user.
Most devices you can allow access to users in a user namespace with a
simple chmod.
You will also have the problem of how do you mount filesystems. Except
for tmpfs I don't think there are any writable filesystems mountable in
a mount namespace created by a user namespace.
Your goal does sound interesting however.
Eric
next prev parent reply other threads:[~2013-05-07 18:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-07 8:01 [PATCH] Use CAP_SYS_RESOURCE as magic for escaping user namespaces Janne Karhunen
[not found] ` <1367913689-3423-1-git-send-email-Janne.Karhunen-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2013-05-07 9:10 ` Janne Karhunen
2013-05-07 10:30 ` Janne Karhunen
[not found] ` <CAE=NcrY5oVFd-Eu=iBR6PcZ_M_DWcitAxz3bvovWh1smQ5wUog-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-05-07 17:12 ` Serge E. Hallyn
2013-05-07 17:10 ` Serge E. Hallyn
[not found] ` <20130507171007.GB10806-anj0Drq5vpzx6HRWoRZK3AC/G2K4zDHf@public.gmane.org>
2013-05-07 18:14 ` Janne Karhunen
[not found] ` <CAE=NcrakiaDPRXJTQz770JNcYw9xbBJcEfCHsap-MGhkT8z2gQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-05-07 18:38 ` Eric W. Biederman [this message]
[not found] ` <87fvxy8wk2.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-05-08 6:26 ` Janne Karhunen
[not found] ` <CAE=NcratxHJ1dzDVn3qNxTagcA+CWi4PM+0_sx-9HTBZH_ym_w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-05-08 15:21 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fvxy8wk2.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=janne.karhunen-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.