From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Cc: Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
Subject: Re: [PATCH 4/4] setns.2: Document the pid, user, and mount namespace support.
Date: Thu, 27 Dec 2012 09:40:19 -0800 [thread overview]
Message-ID: <87bodftmv0.fsf@xmission.com> (raw)
In-Reply-To: <CAKgNAkiaw5L_oNE8NENjmoBS8Hq_uj+iaEdhyXc1+hje4HdnNQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Michael Kerrisk's message of "Thu, 27 Dec 2012 12:08:51 +0100")
"Michael Kerrisk (man-pages)" <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
> Hi Eric,
>
> Some questions below.
A quick note. Getting the permission checks correct has been a little
more interesting that I would have preferred.
I had to add a nsown_capable(CAP_SYS_ADMIN) check to all of the setns()
install methods except the user namespace. Not a change in pre 3.8
behavior but a change to my patch, and possibly a documentation change
below.
> On Tue, Nov 27, 2012 at 1:48 AM, Eric W. Biederman
> <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> wrote:
>>
>> Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
>> ---
>> man2/setns.2 | 41 +++++++++++++++++++++++++++++++++--------
>> 1 files changed, 33 insertions(+), 8 deletions(-)
>>
>> diff --git a/man2/setns.2 b/man2/setns.2
>> index 6aa01e1..63b04dc 100644
>> --- a/man2/setns.2
>> +++ b/man2/setns.2
>> @@ -48,6 +48,18 @@ must refer to a network namespace.
>> .BR CLONE_NEWUTS
>> .I fd
>> must refer to a UTS namespace.
>> +.TP
>> +.BR CLONE_NEWPID
>> +.I fd
>> +must refer to a PID namespace.
>> +.TP
>> +.BR CLONE_NEWUSER
>> +.I fd
>> +must refer to a user namespace.
>> +.TP
>> +.BR CLONE_NEWNS
>> +.I fd
>> +must refer to a mount namespace.
>> .PP
>> Specifying
>> .I nstype
>> @@ -63,6 +75,25 @@ and wants to ensure that the namespace is of a particular type.
>> .IR fd
>> if the file descriptor was opened by another process and, for example,
>> passed to the caller via a UNIX domain socket.)
>> +
>> +The pid namespace is a little different. Reassociating the calling
>> +thread with a pid namespace only changes the pid namespace that the
>> +child processes will be created in.
>> +
>> +Changing the pid namespace for child processes is only allowed if the
>> +pid namespace specified by
>> +.IR fd
>> +is a child pid namespace of the pid namespace of the current thread.
>
> I assume "current thread" above should be "calling thread", right?
What I mean in "current" from a kernel perspective.
It should be just "caller".
Threads must share a pid namespace so mentioning threads seems wrong.
>> +
>> +A multi-threaded process may not change user namespace with setns. A
>> +process may not reassociate the thread with the current user
>> +namespace.
>
> What do you mean by "the current user nsamesapce"?
fd = open("/proc/self/ns/user");
setns(fd) -> -EINVAL.
So from a userspace perspective I mean "the callers user namespace".
>> The process reassociating itself with a user namespace
>> +must have CAP_SYS_ADMIN privileges in the target user namespace.
>>
>> +A process may not be reassociated with a new mount namespace if it is
>> +multi-threaded
>
> I tried to verify the precdeing two lines from the kernel source, but
> did not work out where this check is made. Where is it?
kernel/user_namespace.c:userns_install()
fs/namespace.c:mntns_install()
A couple of the security checks have been pushed down into a per
namespace context, because the exact check that makes sense depends on
the namespace.
>> or it does not possess both CAP_SYS_CHROOT privileges
>> +and CAP_SYS_ADMIN rights over the target mount namespace.
>
> Could you please expand/clarify the preceding two lines. As they
> stand, I don't really understand them.
Ugh. The text is slightly wrong.
The code is:
if (!ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN) ||
!nsown_capable(CAP_SYS_CHROOT) ||
!nsown_capable(CAP_SYS_ADMIN))
return -EPERM;
Basically you aren't allowed change your mount namespace into
a mount namespace that doesn't see you as the all powerful root
able to mount and unmount filesystems.
You aren't allowed to change your mount namespace unless you possesses
CAP_SYS_CHROOT and CAP_SYS_ADMIN.
>> .SH RETURN VALUE
>> On success,
>> .IR setns ()
>> @@ -94,7 +125,8 @@ for this operation.
>> The
>> .BR setns ()
>> system call first appeared in Linux in kernel 3.0;
>> -library support was added to glibc in version 2.14.
>> +library support was added to glibc in version 2.14;
>> +Support for PID, user and mount namespaces first appeard in Linux in kernel 3.8.
>> .SH CONFORMING TO
>> The
>> .BR setns ()
>> @@ -106,13 +138,6 @@ a new thread is created using
>> can be changed using
>> .BR setns ().
>> .SH BUGS
>> -The PID namespace and the mount namespace are not currently supported.
>> -(See the descriptions of
>> -.BR CLONE_NEWPID
>> -and
>> -.BR CLONE_NEWNS
>> -in
>> -.BR clone (2).)
>> .SH SEE ALSO
>> .BR clone (2),
>> .BR fork (2),
>
> Cheers,
>
> Michael
next prev parent reply other threads:[~2012-12-27 17:40 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-26 22:57 [PATCH 0/4] namespace man page updates for 3.8 Eric W. Biederman
[not found] ` <87a9u4rmz0.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-27 0:46 ` [PATCH 1/4] proc.5: Document /proc/[pid]/uid_map and /proc/[pid]/gid_map Eric W. Biederman
[not found] ` <874nkbrhyv.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 9:03 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkixXmtvQUbwyv=a8mU=gdf-x+w-ou_4N=cNaau+hVoy4Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 16:58 ` Eric W. Biederman
[not found] ` <87obhfxwhb.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-28 19:20 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjs9T-s8SG-EgTT0O-Uj8S98Q_zfnMqnZ1ROrcYqh7Z5w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-28 21:20 ` Eric W. Biederman
[not found] ` <87vcbldgbj.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:37 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjf=KS5FnP0L-TPTCjQuTDAMs-N4cadAP89L4Mb3KubzQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 10:12 ` Eric W. Biederman
[not found] ` <87r4m51abp.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-14 8:59 ` Michael Kerrisk (man-pages)
2012-12-27 17:23 ` Eric W. Biederman
[not found] ` <87licjv276.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 18:39 ` Michael Kerrisk (man-pages)
2012-11-27 0:46 ` [PATCH 2/4] clone.2: Describe the user namespace Eric W. Biederman
[not found] ` <87y5hnq3d5.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 10:16 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgXWp49wXKom9hMm9fajKVOAwOmFzPdKWBesbBhfZEssA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 17:20 ` Eric W. Biederman
[not found] ` <87r4mbv2c9.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:30 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgPET9jex1DO=1Z3HRQqO_WVD8qmG-UaH1DQB6wDGqO5A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 9:45 ` Eric W. Biederman
2012-12-27 17:47 ` Eric W. Biederman
[not found] ` <87sj6rs7zc.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:29 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkgRQXn0-x6CXxvW94eeG19dOAOEx78iNC0+w08uX+Sg1w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 9:39 ` Eric W. Biederman
[not found] ` <87a9st5jj4.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-07 8:33 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkggMKib5v4ND9UR1jH=CrK-viM5hhfmc0Rw=mP5GbenSg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-07 8:59 ` Eric W. Biederman
2012-11-27 0:47 ` [PATCH 3/4] proc.5: Document the proc files for the user, mount, and pid namespaces Eric W. Biederman
[not found] ` <87pq2zq3b6.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 10:28 ` Michael Kerrisk (man-pages)
2012-11-27 0:48 ` [PATCH 4/4] setns.2: Document the pid, user, and mount namespace support Eric W. Biederman
[not found] ` <87k3t7q39u.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-27 11:08 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkiaw5L_oNE8NENjmoBS8Hq_uj+iaEdhyXc1+hje4HdnNQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-12-27 17:40 ` Eric W. Biederman [this message]
[not found] ` <87bodftmv0.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-01 9:30 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjJR02rKOBh98n7HJwXqAwywHY=Ef35t9tW7wOuyo86NQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-01 9:58 ` Eric W. Biederman
[not found] ` <87mwwt2pj8.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-01-07 9:51 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkggEOV0dXVzr4Zf3n_-it5SXfvjJ1ooYxiVNWaYzQgRLg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-01-07 23:58 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bodftmv0.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).