From: Jeff Layton <jeff.layton@primarydata.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Lukasz Pawelczyk <l.pawelczyk@samsung.com>,
Richard Weinberger <richard@nod.at>,
Andy Lutomirski <luto@amacapital.net>,
David Howells <dhowells@redhat.com>,
Seth Forshee <seth.forshee@canonical.com>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
lsf-pc@lists.linux-foundation.org
Subject: Re: [Lsf-pc] [LSF/MM TOPIC] Filesystem namespaces and uid/gid/lsm remapping
Date: Sun, 22 Feb 2015 18:51:49 -0500 [thread overview]
Message-ID: <20150222185149.73907103@synchrony.poochiereds.net> (raw)
In-Reply-To: <1424623968.2146.70.camel@HansenPartnership.com>
On Sun, 22 Feb 2015 08:52:48 -0800
James Bottomley <James.Bottomley@HansenPartnership.com> wrote:
> On Mon, 2014-12-08 at 15:59 -0600, Eric W. Biederman wrote:
> > David Howells <dhowells@redhat.com> writes:
> >
> > > Andy Lutomirski <luto@amacapital.net> wrote:
> > >
> > >> - How should LSM security labels be translated?
> > >
> > > I'm definitely interested in that. Especially with respect to how to deal
> > > with SELinux + overlay{fs,}/unionmount.
> > >
> > > Also, I'm interested in how keyrings should interact with namespaces. Should
> > > keys be namespaced?
> >
> > Key lookups are already per user namespace, so I would call that
> > namespaced. We do have the question with keys, should we allow
> > duplicate key values so that checkpoint/restart can carry keys between
> > different kernels.
> >
> > > And I'm also interested in how upcalls, including to /sbin/request-key, should
> > > be dealt with.
> >
> > Good question. There is some ongoing discussion on that right now.
>
> Aren't the upcalls exactly the same problem as NFS in a container (which
> uses daemon upcalls). Can the existing solution for that be
> generalised?
>
Not really, no...
NFS (and nfsd) namespaceification (is that a word?) is designed around
the network namespace. Start your daemons in a container and do your
mount in the same container and everything "just works" due to the fact
that the network namespace is the same.
When you do something like a call_usermodehelper upcall, then things
become more tricky. You have a network namespace, but nothing else, so
you still have to know (for instance) what mount namespace to spawn the
usermode helper in. Sorting that out is not at all straightforward and
if we get it wrong it could be a giant security hole.
Ian Kent is working on a patchset for this. The current idea is to ID
the init process in the container where the mount occurred (or where
nfsd was started) and use that to get an nsproxy to use for the UMH
upcall.
--
Jeff Layton <jlayton@primarydata.com>
next prev parent reply other threads:[~2015-02-22 23:51 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-02 23:47 [LSF/MM TOPIC] Filesystem namespaces and uid/gid/lsm remapping Andy Lutomirski
2014-12-03 3:37 ` Eric W. Biederman
2015-02-22 17:12 ` [Lsf-pc] " James Bottomley
2015-02-23 12:38 ` Jan Kara
2014-12-03 14:48 ` Seth Forshee
2014-12-05 18:01 ` David Howells
2014-12-08 21:59 ` Eric W. Biederman
2014-12-09 18:51 ` [Lsf-pc] " Jeff Layton
2015-02-22 16:52 ` James Bottomley
2015-02-22 23:51 ` Jeff Layton [this message]
2015-02-22 17:01 ` James Bottomley
2015-02-23 15:54 ` Andy Lutomirski
2015-02-23 16:16 ` James Bottomley
2015-03-02 22:34 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150222185149.73907103@synchrony.poochiereds.net \
--to=jeff.layton@primarydata.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=l.pawelczyk@samsung.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=lsf-pc@lists.linux-foundation.org \
--cc=luto@amacapital.net \
--cc=richard@nod.at \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).