* namespaces todo list?
[not found] <82271f8b-c366-28b1-90ac-3b0780490fa5@poczta.onet.pl>
@ 2017-05-31 14:22 ` Paul Moore
2017-05-31 15:05 ` Jessica Frazelle
1 sibling, 0 replies; 6+ messages in thread
From: Paul Moore @ 2017-05-31 14:22 UTC (permalink / raw)
To: linux-security-module
On Wed, May 31, 2017 at 8:45 AM, Micha? Zegan
<webczat_200@poczta.onet.pl> wrote:
> Hello.
>
> Trying to track progress with linux containers, however I am quite lost.
> So, what is left to be done? I mean namespace security holes, things you
> cannot do but should be able to, etc.
> I know about those:
...
> 2 - autofs, audit, whatever...?
Proper support for namespaces/containers is a high priority item for
those of us working in the audit space, if you are interested I would
suggest joining the linux-audit mailing list (CC'd).
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* namespaces todo list?
[not found] <82271f8b-c366-28b1-90ac-3b0780490fa5@poczta.onet.pl>
2017-05-31 14:22 ` namespaces todo list? Paul Moore
@ 2017-05-31 15:05 ` Jessica Frazelle
[not found] ` <1139e982-0096-1d5c-3ea1-b7607907b9c2@poczta.onet.pl>
1 sibling, 1 reply; 6+ messages in thread
From: Jessica Frazelle @ 2017-05-31 15:05 UTC (permalink / raw)
To: linux-security-module
> 3 - keys, keyrings? are they namespace aware or not? I am quite lost in
> that regard, because I happen to hear conflicting statements.
If you are using user namespaces, the keyring is namespaced.
--
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* namespaces todo list?
[not found] ` <1139e982-0096-1d5c-3ea1-b7607907b9c2@poczta.onet.pl>
@ 2017-05-31 15:23 ` Jessica Frazelle
[not found] ` <c1386ea9-bd54-9f73-2bbf-9f331cfb4aa2@poczta.onet.pl>
0 siblings, 1 reply; 6+ messages in thread
From: Jessica Frazelle @ 2017-05-31 15:23 UTC (permalink / raw)
To: linux-security-module
You can catch up here[1] wrt the keyring and userns, David Howells is
working on more with the keyring currently[2] seems like from the set
of patches.
[1] https://patchwork.kernel.org/patch/9394983/
[2] https://marc.info/?l=linux-cgroups&w=2&r=1&s=David+Howells&q=b
On Wed, May 31, 2017 at 4:17 PM, Micha? Zegan
<webczat_200@poczta.onet.pl> wrote:
>
>
> W dniu 31.05.2017 o 17:05, Jessica Frazelle pisze:
>>> 3 - keys, keyrings? are they namespace aware or not? I am quite lost in
>>> that regard, because I happen to hear conflicting statements.
>>
>> If you are using user namespaces, the keyring is namespaced.
>>
>>
>>
> so, from which kernel version is it namespaced? and, if it really is
> namespaced, then does it mean the only thing not currently resolved is
> request_key?
>
--
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* namespaces todo list?
[not found] ` <c1386ea9-bd54-9f73-2bbf-9f331cfb4aa2@poczta.onet.pl>
@ 2017-05-31 17:14 ` Jessica Frazelle
[not found] ` <b4463d8c-dece-babe-42d8-58f23b2a6cd6@poczta.onet.pl>
0 siblings, 1 reply; 6+ messages in thread
From: Jessica Frazelle @ 2017-05-31 17:14 UTC (permalink / raw)
To: linux-security-module
On Wed, May 31, 2017 at 5:58 PM, Micha? Zegan
<webczat_200@poczta.onet.pl> wrote:
>
>
> W dniu 31.05.2017 o 17:23, Jessica Frazelle pisze:
>> You can catch up here[1] wrt the keyring and userns, David Howells is
>> working on more with the keyring currently[2] seems like from the set
>> of patches.
>>
>> [1] https://patchwork.kernel.org/patch/9394983/
> this patch is still in new state so not merged, hmm
The state today is as described in that patch, which also goes over
the problems and designs. as well as the other link given which has
the more recent work.
>> [2] https://marc.info/?l=linux-cgroups&w=2&r=1&s=David+Howells&q=b
>>
>> On Wed, May 31, 2017 at 4:17 PM, Micha? Zegan
>> <webczat_200@poczta.onet.pl> wrote:
>>>
>>>
>>> W dniu 31.05.2017 o 17:05, Jessica Frazelle pisze:
>>>>> 3 - keys, keyrings? are they namespace aware or not? I am quite lost in
>>>>> that regard, because I happen to hear conflicting statements.
>>>>
>>>> If you are using user namespaces, the keyring is namespaced.
>>>>
>>>>
>>>>
>>> so, from which kernel version is it namespaced? and, if it really is
>>> namespaced, then does it mean the only thing not currently resolved is
>>> request_key?
>>>
>>
>>
>>
>
--
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* namespaces todo list?
[not found] ` <b4463d8c-dece-babe-42d8-58f23b2a6cd6@poczta.onet.pl>
@ 2017-05-31 17:26 ` Jessica Frazelle
[not found] ` <ef81909d-4d2b-6712-c0c0-c00d6f02ee7d@poczta.onet.pl>
0 siblings, 1 reply; 6+ messages in thread
From: Jessica Frazelle @ 2017-05-31 17:26 UTC (permalink / raw)
To: linux-security-module
Most container runtimes create new session keyrings per container as
well, idk if that helps
On Wed, May 31, 2017 at 6:25 PM, Micha? Zegan
<webczat_200@poczta.onet.pl> wrote:
>
>
> W dniu 31.05.2017 o 19:14, Jessica Frazelle pisze:
>> On Wed, May 31, 2017 at 5:58 PM, Micha? Zegan
>> <webczat_200@poczta.onet.pl> wrote:
>>>
>>>
>>> W dniu 31.05.2017 o 17:23, Jessica Frazelle pisze:
>>>> You can catch up here[1] wrt the keyring and userns, David Howells is
>>>> working on more with the keyring currently[2] seems like from the set
>>>> of patches.
>>>>
>>>> [1] https://patchwork.kernel.org/patch/9394983/
>>> this patch is still in new state so not merged, hmm
>>
>> The state today is as described in that patch, which also goes over
>> the problems and designs. as well as the other link given which has
>> the more recent work.
>>
> so from what I've read in this patch, in the mailing list and even in
> the code it seems that the only really namespaced thing for now are
> persistent keyrings, and other things require consideration. Unless
> there is something beyond kernel/user_namespace.c that I've missed.
>>>> [2] https://marc.info/?l=linux-cgroups&w=2&r=1&s=David+Howells&q=b
>>>>
>>>> On Wed, May 31, 2017 at 4:17 PM, Micha? Zegan
>>>> <webczat_200@poczta.onet.pl> wrote:
>>>>>
>>>>>
>>>>> W dniu 31.05.2017 o 17:05, Jessica Frazelle pisze:
>>>>>>> 3 - keys, keyrings? are they namespace aware or not? I am quite lost in
>>>>>>> that regard, because I happen to hear conflicting statements.
>>>>>>
>>>>>> If you are using user namespaces, the keyring is namespaced.
>>>>>>
>>>>>>
>>>>>>
>>>>> so, from which kernel version is it namespaced? and, if it really is
>>>>> namespaced, then does it mean the only thing not currently resolved is
>>>>> request_key?
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
--
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* namespaces todo list?
[not found] ` <ef81909d-4d2b-6712-c0c0-c00d6f02ee7d@poczta.onet.pl>
@ 2017-05-31 17:35 ` Jessica Frazelle
0 siblings, 0 replies; 6+ messages in thread
From: Jessica Frazelle @ 2017-05-31 17:35 UTC (permalink / raw)
To: linux-security-module
As far as I know the only way that is done is with docker and the
default seccomp filter to block all those syscalls, you could
obviously do that with seccomp and the other runtimes as well. But
it's not a matter of just "disabling the keyring".
On Wed, May 31, 2017 at 6:32 PM, Micha? Zegan
<webczat_200@poczta.onet.pl> wrote:
> I am asking more for curiosity than because of a real need, I am just
> interested in the security of linux container technologies, and tracking
> progress. I have once heard that some linux container technologies do
> rather disable keyring access completely.
>
> W dniu 31.05.2017 o 19:26, Jessica Frazelle pisze:
>> Most container runtimes create new session keyrings per container as
>> well, idk if that helps
>>
>> On Wed, May 31, 2017 at 6:25 PM, Micha? Zegan
>> <webczat_200@poczta.onet.pl> wrote:
>>>
>>>
>>> W dniu 31.05.2017 o 19:14, Jessica Frazelle pisze:
>>>> On Wed, May 31, 2017 at 5:58 PM, Micha? Zegan
>>>> <webczat_200@poczta.onet.pl> wrote:
>>>>>
>>>>>
>>>>> W dniu 31.05.2017 o 17:23, Jessica Frazelle pisze:
>>>>>> You can catch up here[1] wrt the keyring and userns, David Howells is
>>>>>> working on more with the keyring currently[2] seems like from the set
>>>>>> of patches.
>>>>>>
>>>>>> [1] https://patchwork.kernel.org/patch/9394983/
>>>>> this patch is still in new state so not merged, hmm
>>>>
>>>> The state today is as described in that patch, which also goes over
>>>> the problems and designs. as well as the other link given which has
>>>> the more recent work.
>>>>
>>> so from what I've read in this patch, in the mailing list and even in
>>> the code it seems that the only really namespaced thing for now are
>>> persistent keyrings, and other things require consideration. Unless
>>> there is something beyond kernel/user_namespace.c that I've missed.
>>>>>> [2] https://marc.info/?l=linux-cgroups&w=2&r=1&s=David+Howells&q=b
>>>>>>
>>>>>> On Wed, May 31, 2017 at 4:17 PM, Micha? Zegan
>>>>>> <webczat_200@poczta.onet.pl> wrote:
>>>>>>>
>>>>>>>
>>>>>>> W dniu 31.05.2017 o 17:05, Jessica Frazelle pisze:
>>>>>>>>> 3 - keys, keyrings? are they namespace aware or not? I am quite lost in
>>>>>>>>> that regard, because I happen to hear conflicting statements.
>>>>>>>>
>>>>>>>> If you are using user namespaces, the keyring is namespaced.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> so, from which kernel version is it namespaced? and, if it really is
>>>>>>> namespaced, then does it mean the only thing not currently resolved is
>>>>>>> request_key?
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
--
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-05-31 17:35 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <82271f8b-c366-28b1-90ac-3b0780490fa5@poczta.onet.pl>
2017-05-31 14:22 ` namespaces todo list? Paul Moore
2017-05-31 15:05 ` Jessica Frazelle
[not found] ` <1139e982-0096-1d5c-3ea1-b7607907b9c2@poczta.onet.pl>
2017-05-31 15:23 ` Jessica Frazelle
[not found] ` <c1386ea9-bd54-9f73-2bbf-9f331cfb4aa2@poczta.onet.pl>
2017-05-31 17:14 ` Jessica Frazelle
[not found] ` <b4463d8c-dece-babe-42d8-58f23b2a6cd6@poczta.onet.pl>
2017-05-31 17:26 ` Jessica Frazelle
[not found] ` <ef81909d-4d2b-6712-c0c0-c00d6f02ee7d@poczta.onet.pl>
2017-05-31 17:35 ` Jessica Frazelle
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).