From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: Janne Karhunen <janne.karhunen-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Subject: Re: [PATCH] Use CAP_SYS_RESOURCE as magic for escaping user namespaces.
Date: Wed, 8 May 2013 10:21:07 -0500 [thread overview]
Message-ID: <20130508152107.GA3975@austin.hallyn.com> (raw)
In-Reply-To: <CAE=NcratxHJ1dzDVn3qNxTagcA+CWi4PM+0_sx-9HTBZH_ym_w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Quoting Janne Karhunen (janne.karhunen-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> On Tue, May 7, 2013 at 9:38 PM, Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> wrote:
>
> > So far it appears that we don't need a device namespace. As for most
> > things the usual DAC permissions apply.
>
> Serge, please note ;)
?
Here are some possibilities regarding devices:
1. ptys are already namespaced in their own way
2. loop is not namespaced, but easily could be. The question is how to
trigger a new namespace for them. Maybe a loopfs with newinstance
option :)
3. c 4 1 (/dev/tty1). Right now containers handle this purely through
obfuscation at the filename level, symlinking /dev/tty1 to a pty.
We could namespace tasks at a tty level, so that c 4 1 either points
to a provided open fd, or to nothing, in the new namespace.
4. Video cards could be handled by introducing virtual devices to
replace the physical ones, OR they could be handled by passing the
physical video card to a different X namespace (X being user, device,
or something else). Both have in the past been mentioned by Eric,
and they're not mutually exclusive.
So, I object to a blanket "this capability changes the meaning of all
your other capabilities with respect to the hardware." However, perhaps
we could do something like "pass this device to that user namespace, so
that any capabilities he has toward his user namespace will be allowed
against that device."
> > The exceptions that I am aware of where we need something extra are
> > cases where the device abstraction is simply insufficient and needs
> > to be improved.
> >
> > You can pass real network devices between network namespaces.
>
> Have you considered passing things like frame buffer, input subsystem
> and/or modem(s)?
We have, but I'm not sure we've discussed (though I'm sure we've all
thought about) just passing straight to a user namespace.
-serge
prev parent reply other threads:[~2013-05-08 15:21 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-07 8:01 [PATCH] Use CAP_SYS_RESOURCE as magic for escaping user namespaces Janne Karhunen
[not found] ` <1367913689-3423-1-git-send-email-Janne.Karhunen-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2013-05-07 9:10 ` Janne Karhunen
2013-05-07 10:30 ` Janne Karhunen
[not found] ` <CAE=NcrY5oVFd-Eu=iBR6PcZ_M_DWcitAxz3bvovWh1smQ5wUog-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-05-07 17:12 ` Serge E. Hallyn
2013-05-07 17:10 ` Serge E. Hallyn
[not found] ` <20130507171007.GB10806-anj0Drq5vpzx6HRWoRZK3AC/G2K4zDHf@public.gmane.org>
2013-05-07 18:14 ` Janne Karhunen
[not found] ` <CAE=NcrakiaDPRXJTQz770JNcYw9xbBJcEfCHsap-MGhkT8z2gQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-05-07 18:38 ` Eric W. Biederman
[not found] ` <87fvxy8wk2.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-05-08 6:26 ` Janne Karhunen
[not found] ` <CAE=NcratxHJ1dzDVn3qNxTagcA+CWi4PM+0_sx-9HTBZH_ym_w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-05-08 15:21 ` Serge E. Hallyn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130508152107.GA3975@austin.hallyn.com \
--to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=janne.karhunen-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox