From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
Cc: linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH review 12/16] userns: For /proc/self/{uid, gid}_map derive the lower userns from the struct file
Date: Mon, 19 Nov 2012 13:27:45 -0800 [thread overview]
Message-ID: <87y5hxxoz2.fsf@xmission.com> (raw)
In-Reply-To: <20121119211912.GA12388@sergelap> (Serge Hallyn's message of "Mon, 19 Nov 2012 15:19:12 -0600")
Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org> writes:
> Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
>>
>> In practice when playing around it is the difference between.
>> unshare -U /bin/bash
>> echo 0 1000 1 > /proc/self/uid_map
>>
>> And the need to pre-plan something. You can set the uid_map from the
>> parent in a shell script but it is a real pain. So for just messing
>> around allowing seq_ns == ns is a real advantage.
>
> Heh, ok - I almost always want >1 uid mapped, but I can see the
> advantage.
The original plan called for an upcall and >1 uid mapped. But yeah
that is something else again.
> Thanks.
>
> I don't recall whether I put this in originally, but
>
> Acked-by: Serge E. Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
>
>> > I also wonder if -EINVAL would be a more appropriate choice here.
>> > We're trying to keep things sane, rather than saying "not allowed"
>> > for its own sake.
>>
>> A different error code might be better.
>
> I suppose strictly speaking (looking at errno-base.h) it would be
> EBADF?
Definitely not EBADF. EBADF is the error code for operating on a closed
file descriptor.
I want a ENOTALLOWED. Anyway.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Linux Containers <containers@lists.linux-foundation.org>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH review 12/16] userns: For /proc/self/{uid, gid}_map derive the lower userns from the struct file
Date: Mon, 19 Nov 2012 13:27:45 -0800 [thread overview]
Message-ID: <87y5hxxoz2.fsf@xmission.com> (raw)
In-Reply-To: <20121119211912.GA12388@sergelap> (Serge Hallyn's message of "Mon, 19 Nov 2012 15:19:12 -0600")
Serge Hallyn <serge.hallyn@canonical.com> writes:
> Quoting Eric W. Biederman (ebiederm@xmission.com):
>>
>> In practice when playing around it is the difference between.
>> unshare -U /bin/bash
>> echo 0 1000 1 > /proc/self/uid_map
>>
>> And the need to pre-plan something. You can set the uid_map from the
>> parent in a shell script but it is a real pain. So for just messing
>> around allowing seq_ns == ns is a real advantage.
>
> Heh, ok - I almost always want >1 uid mapped, but I can see the
> advantage.
The original plan called for an upcall and >1 uid mapped. But yeah
that is something else again.
> Thanks.
>
> I don't recall whether I put this in originally, but
>
> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
>
>> > I also wonder if -EINVAL would be a more appropriate choice here.
>> > We're trying to keep things sane, rather than saying "not allowed"
>> > for its own sake.
>>
>> A different error code might be better.
>
> I suppose strictly speaking (looking at errno-base.h) it would be
> EBADF?
Definitely not EBADF. EBADF is the error code for operating on a closed
file descriptor.
I want a ENOTALLOWED. Anyway.
Eric
next prev parent reply other threads:[~2012-11-19 21:27 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-19 15:08 [PATCH review 0/16] user namespace and namespace infrastructure completion Eric W. Biederman
2012-11-19 15:08 ` Eric W. Biederman
[not found] ` <87lidx8wbo.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 15:12 ` [PATCH review 01/16] userns: Ignore suid and sgid on binaries if the uid or gid can not be mapped Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 08/16] userns: Kill task_user_ns Eric W. Biederman
[not found] ` <1353337961-12962-8-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 22:34 ` Kees Cook
2012-11-19 22:34 ` Kees Cook
2012-11-19 15:12 ` [PATCH review 10/16] userns: Implement unshare of the user namespace Eric W. Biederman
[not found] ` <1353337961-12962-1-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 15:12 ` [PATCH review 02/16] userns: Allow unprivileged users to create user namespaces Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 03/16] userns: Allow chown and setgid preservation Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
[not found] ` <1353337961-12962-3-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 17:49 ` Serge Hallyn
2012-11-19 17:49 ` Serge Hallyn
2012-11-19 15:12 ` [PATCH review 04/16] userns: Allow setting a userns mapping to your current uid Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 05/16] userns: Allow unprivileged users to create new namespaces Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 06/16] userns: Allow unprivileged use of setns Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 07/16] userns: Make create_new_namespaces take a user_ns parameter Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 08/16] userns: Kill task_user_ns Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 09/16] userns: Implent proc namespace operations Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 10/16] userns: Implement unshare of the user namespace Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 11/16] procfs: Print task uids and gids in the userns that opened the proc file Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
[not found] ` <1353337961-12962-11-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 17:58 ` Serge Hallyn
2012-11-19 17:58 ` Serge Hallyn
2012-11-19 15:12 ` [PATCH review 12/16] userns: For /proc/self/{uid, gid}_map derive the lower userns from the struct file Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 12/16] userns: For /proc/self/{uid,gid}_map " Eric W. Biederman
[not found] ` <1353337961-12962-12-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 18:03 ` [PATCH review 12/16] userns: For /proc/self/{uid, gid}_map " Serge Hallyn
2012-11-19 18:03 ` Serge Hallyn
2012-11-19 18:29 ` Eric W. Biederman
2012-11-19 18:29 ` Eric W. Biederman
[not found] ` <87fw451m5i.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 21:01 ` Serge Hallyn
2012-11-19 21:01 ` Serge Hallyn
2012-11-19 21:09 ` Eric W. Biederman
2012-11-19 21:09 ` Eric W. Biederman
[not found] ` <877gphz4d9.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 21:19 ` Serge Hallyn
2012-11-19 21:19 ` Serge Hallyn
2012-11-19 21:27 ` Eric W. Biederman [this message]
2012-11-19 21:27 ` Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 13/16] userns: Allow unprivilged mounts of proc and sysfs Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 14/16] proc: Generalize proc inode allocation Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
[not found] ` <1353337961-12962-14-git-send-email-ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-19 18:04 ` Serge Hallyn
2012-11-19 18:04 ` Serge Hallyn
2012-11-19 15:12 ` [PATCH review 15/16] proc: Fix the namespace inode permission checks Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 16/16] proc: Usable inode numbers for the namespace file descriptors Eric W. Biederman
2012-11-19 15:12 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y5hxxoz2.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.