From: "Serge E. Hallyn" <serue@us.ibm.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
lkml <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Ashwin Ganti <ashwin.ganti@gmail.com>, Greg KH <greg@kroah.com>,
rsc@swtch.com, ericvh@gmail.com,
linux-security-module@vger.kernel.org,
Ron Minnich <rminnich@gmail.com>,
jt.beard@gmail.com, Andrew Morton <akpm@linux-foundation.org>,
Andrew Morgan <morgan@kernel.org>,
oleg@us.ibm.com, Eric Paris <eparis@redhat.com>,
linux-api@vger.kernel.org, Randy Dunlap <rdunlap@xenotime.net>
Subject: Re: [PATCH 3/3] p9auth: add p9auth driver
Date: Wed, 21 Apr 2010 15:23:25 -0500 [thread overview]
Message-ID: <20100421202325.GC30745@us.ibm.com> (raw)
In-Reply-To: <m11ve81usw.fsf@fess.ebiederm.org>
Quoting Eric W. Biederman (ebiederm@xmission.com):
> "Serge E. Hallyn" <serue@us.ibm.com> writes:
>
> > Ignoring namespaces for a moment, I guess we could do something like
> >
> > struct credentials_pass {
> > pid_t global_pid;
> > unsigned long unique_id;
> > uid_t new_uid;
> > gid_t new_gid;
> > int num_aux_gids;
> > gid_t aux_gids[];
> > }
>
> This looks surprising like what I am doing in passing uids and pids
> through unix domain sockets.
>
> So if this looks like a direction we want to go it shouldn't be too
> difficult.
>
> >> That also btw needs fixing for other reasons - more than one daemon has
> >> been written that generically uses recvmsg and so can be attacked with FD
> >> leaks >-)
> >
> > Yup.
> >
> > (By 'needs fixing' you just mean needs to be done right for this
> > service? Else I think I'm missing something...)
>
> Remember my unix domain socket and the patch for converting struct cred
> into a new context, from a month or so ago. I think that is what we
> are talking about.
Zoinks! After some digging I found it in my containers.mbox and at
https://lists.linux-foundation.org/pipermail/containers/2010-March/023405.html
and see you even called me out. Sorry! I see your tree at
http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/ebiederm/linux-2.6.33-nsfd-v5.git;a=summary
and commit "af_unix: Allow SO_PEERCRED to work across namespaces", and
it all looks good. Definately useful for a SO_PASSCRED or somesuch
implementation.
thanks,
-serge
next prev parent reply other threads:[~2010-04-21 20:23 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20100421012749.GA21338@us.ibm.com>
[not found] ` <20100421012749.GA21338-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-04-21 1:29 ` [PATCH 3/3] p9auth: add p9auth driver Serge E. Hallyn
[not found] ` <20100421012908.GB24251-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-04-21 3:04 ` Greg KH
[not found] ` <20100421030406.GB10258-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2010-04-21 3:45 ` Serge E. Hallyn
2010-04-21 4:18 ` Ashwin Ganti
2010-04-21 13:47 ` Serge E. Hallyn
[not found] ` <20100421134759.GE16326-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-04-21 14:44 ` Ashwin Ganti
2010-04-21 4:45 ` Eric W. Biederman
[not found] ` <m1zl0xo1m9.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-04-21 13:21 ` Serge E. Hallyn
2010-04-24 3:36 ` Serge E. Hallyn
2010-04-24 16:25 ` ron minnich
[not found] ` <n2s13426df11004240925id540ed94mc2ebafada0099ec4-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-24 18:01 ` Eric W. Biederman
2010-04-25 3:24 ` Serge E. Hallyn
2010-04-21 9:27 ` Alan Cox
[not found] ` <20100421102739.6ad932fb-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2010-04-21 13:39 ` Serge E. Hallyn
2010-04-21 14:19 ` Alan Cox
[not found] ` <20100421151917.5ae20265-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2010-04-21 15:09 ` Serge E. Hallyn
2010-04-21 19:15 ` Eric W. Biederman
2010-04-21 20:23 ` Serge E. Hallyn [this message]
2010-04-22 4:57 ` Kyle Moffett
[not found] ` <w2wf73f7ab81004212157o371c5738o10c8b6ff807ba36a-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-04-22 14:36 ` Serge E. Hallyn
2010-04-21 13:55 ` Eric Paris
2010-04-21 14:30 ` Serge E. Hallyn
2010-04-21 10:49 ` David Howells
2010-04-21 13:40 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100421202325.GC30745@us.ibm.com \
--to=serue@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ashwin.ganti@gmail.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=ericvh@gmail.com \
--cc=greg@kroah.com \
--cc=jt.beard@gmail.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=oleg@us.ibm.com \
--cc=rdunlap@xenotime.net \
--cc=rminnich@gmail.com \
--cc=rsc@swtch.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).