[RFC] [PATCH 0/4] uid_ns: introduction

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Containers <containers@lists.osdl.org>, linux-fsdevel@vger.kernel.org
Subject: [RFC] [PATCH 0/4] uid_ns: introduction
Date: Mon, 6 Nov 2006 22:18:14 -0600	[thread overview]
Message-ID: <20061107041814.GA28706@sergelap.austin.ibm.com> (raw)

Cedric has previously sent out a patchset
(http://lists.osdl.org/pipermail/containers/2006-August/000078.html)
impplementing the very basics of a user namespace.  It ignores filesystem
access checks, so that uid 502 in one namespace could access files
belonging to uid 502 in another namespace, if the containers were so set
up.

This isn't necessarily bad, since proper container setup should prevent
problems.  However there has been concern, so here is a patchset which
takes one course in addressing the concern.

It adds a user namespace pointer to every superblock, and to enhances
fsuid equivalence checks with a (inode->i_sb->s_uid_ns ==
current->nsproxy->uid_ns) comparison.

I've tested this as follows:

Created a bare-minimum loopback filesystem which has su, ps, touch, and sh
and requisites (like /etc/pam.d).  Under that, created a user hallyn with
the same uid as user hallyn on the root filesystem.  Under both /home/hallyn
and /mnt/0/home/hallyn (/home/hallyn on the loopbackfs) created a directory
'priv' with 0700 perms. 

unsharens -U /bin/sh
su hallyn
ls /home/hallyn/priv
	(permission denied)
mount -o loop /usr/src/disk.img /mnt/0
mount -t proc none /mnt/0/proc
mount -t devpts none /mnt/0/dev/pts
chroot /mnt/0
su hallyn
ls /home/hallyn/priv
	ab

And, finally, of course

mount -o loop /usr/src/disk.img /mnt/0
mount -t proc none /mnt/0/proc
mount -t devpts none /mnt/0/dev/pts
unsharens -U /bin/sh
chroot /mnt/0
su hallyn
ls /home/hallyn/priv
	(permission denied)

This is only a rough prototype to start some discussion.  i.e. I
ignore groups, so kernel/sys.c:in_group_p() for instance will need to be
updated.

A few issues to be discussed:

1. I am not doing anything about root access.  There are several ways we
can address this.

	a. implement CAP_NS_OVERRIDE, without which cross-ns access is
		not allowed
	b. just don't allow any cross-ns access at all
	c. a more complicated scheme where root process in parent and child
		namespaces can access each other until somehow the
		parent-ns cuts off the child's access.

2. This patch takes the easy route of adding user_ns pointers to the
superblock.  It would be very nice to add it to the vfsmount instead, so
that admins could simply mount --bind into various namespaces, rather
than having to use completely separate filesystems.  However several
fsuid equivalence checks happen with only an inode available.  The
hardest to address so far appear to be fs/namei.c:generic_permission as
called from, say nfs, fs/generic_acl.c:generic_acl_set, and
fs/attr.c:inode_change_ok called from jffs2.

Still, putting the user_ns in the superblock and forcing the use
of separate filesystems (i.e. through a lightweight stackable
read-only filesystem) isn't *so* bad, is it?

thanks,
-serge

next             reply	other threads:[~2006-11-07  4:18 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-11-07  4:18 Serge E. Hallyn [this message]
2006-11-07  4:19 ` [RFC] [PATCH 1/4] uid_ns: introduce inode uid check helper Serge E. Hallyn
2006-11-09 20:05   ` Cedric Le Goater
2006-11-07  4:19 ` [RFC] [PATCH 2/4] uid_ns: replace inode->fsuid checks under fs/ Serge E. Hallyn
2006-11-07  4:20 ` [RFC] [PATCH 3/4] uid_ns: replace i_uid check in fs/namespace.c Serge E. Hallyn
2006-11-07  4:20 ` [RFC] [PATCH 4/4] uid_ns: Add filesystem uid checks Serge E. Hallyn
2006-11-08  0:52 ` [RFC] [PATCH 0/4] uid_ns: introduction Herbert Poetzl
2006-11-08 17:46   ` Trond Myklebust
2006-11-08 20:34     ` Eric W. Biederman
2006-11-08 21:27       ` Herbert Poetzl
2006-11-08 21:54         ` Serge E. Hallyn
2006-11-09  0:42           ` Herbert Poetzl
2006-11-09 13:26           ` Eric W. Biederman
2006-11-09 16:50             ` Serge E. Hallyn
2006-11-09 17:17               ` Herbert Poetzl
2006-11-09 17:35                 ` Serge E. Hallyn
2006-11-09 20:12                   ` Cedric Le Goater

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20061107041814.GA28706@sergelap.austin.ibm.com \
    --to=serue@us.ibm.com \
    --cc=containers@lists.osdl.org \
    --cc=linux-fsdevel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).