From: "Serge E. Hallyn" <serge@hallyn.com>
To: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Masami Ichikawa <masami256@gmail.com>,
containers@lists.linux-foundation.org, lkp@01.org,
xiaolong.ye@intel.com, LKML <linux-kernel@vger.kernel.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>
Subject: Re: [PATCH v4] Introduce v3 namespaced file capabilities
Date: Wed, 14 Jun 2017 22:05:43 -0500 [thread overview]
Message-ID: <20170615030543.GA8979@mail.hallyn.com> (raw)
In-Reply-To: <ce471b11-e76a-25f3-eae8-eca30e7233af@linux.vnet.ibm.com>
On Wed, Jun 14, 2017 at 08:27:40AM -0400, Stefan Berger wrote:
> On 06/13/2017 07:55 PM, Serge E. Hallyn wrote:
> >Quoting Stefan Berger (stefanb@linux.vnet.ibm.com):
> >> If all extended
> >>attributes were to support this model, maybe the 'uid' could be
> >>associated with the 'name' of the xattr rather than its 'value' (not
> >>sure whether that's possible).
> >Right, I missed that in your original email when I saw it this morning.
> >It's not what my patch does, but it's an interesting idea. Do you have
> >a patch to that effect? We might even be able to generalize that to
>
> No, I don't have a patch. It may not be possible to implement it.
> The xattr_handler's take the name of the xattr as input to get().
That may be ok though. Assume the host created a container with
100000 as the uid for root, which created a container with 130000 as
uid for root. If root in the nested container tries to read the
xattr, the kernel can check for security.foo[130000] first, then
security.foo[100000], then security.foo. Or, it can do a listxattr
and look for those. Am I overlooking one?
> So one could try to encode the mapped uid in the name. However, that
I thought that's exactly what you were suggesting in your original
email? "security.capability[uid=2000]"
> could lead to problems with stale xattrs in a shared filesystem over
> time unless one could limit the number of xattrs with the same
> prefix, e.g., security.capability*. So I doubt that it would work.
Hm. Yeah. But really how many setups are there like that? I.e. if
you launch a regular docker or lxd container, the image doesn't do a
bind mount of a shared image, it layers something above it or does a
copy. What setups do you know of where multiple containers in different
user namespaces mount the same filesystem shared and writeable?
> Otherwise it would be good if the value was wrapped in a data
> structure use by all xattrs, but that doesn't seem to be the case,
> either. So I guess we have to go into each type of value structure
> and add a uid field there.
>
> >namespace any security.* xattrs. Wouldn't be automatically enabled
> >for anything but ima and capabilities, but we could make the infrastructure
> >generic and re-usable.
> >
next prev parent reply other threads:[~2017-06-15 3:05 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-07 9:21 64fa03de33: BUG:Dentry_still_in_use kernel test robot
2017-05-08 4:44 ` Serge E. Hallyn
2017-05-08 11:47 ` Masami Ichikawa
2017-05-08 15:49 ` Serge E. Hallyn
2017-05-08 18:11 ` [PATCH v4] Introduce v3 namespaced file capabilities Serge E. Hallyn
2017-05-09 16:55 ` Eric W. Biederman
2017-05-09 20:37 ` Serge E. Hallyn
2017-05-09 22:27 ` Eric W. Biederman
2017-06-13 15:47 ` Stefan Berger
2017-06-13 17:14 ` Tycho Andersen
2017-06-13 17:42 ` Stefan Berger
2017-06-13 20:51 ` Tycho Andersen
2017-06-13 17:45 ` James Bottomley
2017-06-13 20:46 ` Tycho Andersen
2017-06-13 20:49 ` Stefan Berger
2017-06-13 20:53 ` Tycho Andersen
2017-06-13 20:58 ` Stefan Berger
2017-06-13 20:59 ` Mimi Zohar
2017-06-13 21:09 ` Tycho Andersen
2017-06-13 17:18 ` Serge E. Hallyn
2017-06-13 18:12 ` Stefan Berger
2017-06-13 23:55 ` Serge E. Hallyn
2017-06-14 12:27 ` Stefan Berger
2017-06-15 3:05 ` Serge E. Hallyn [this message]
2017-06-16 9:02 ` Christian Brauner
2017-06-16 22:24 ` Stefan Berger
2017-06-17 20:56 ` Stefan Berger
2017-06-18 22:14 ` Serge E. Hallyn
2017-06-19 1:13 ` Stefan Berger
2017-06-19 13:05 ` Stefan Berger
2017-06-20 6:23 ` Serge E. Hallyn
2017-06-19 21:34 ` Eric W. Biederman
2017-06-20 5:42 ` Amir Goldstein
2017-06-20 12:19 ` Stefan Berger
2017-06-20 17:33 ` Stefan Berger
2017-06-20 19:56 ` Amir Goldstein
2017-06-20 19:57 ` Vivek Goyal
2017-06-13 23:42 ` Serge E. Hallyn
2017-06-13 23:50 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170615030543.GA8979@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@01.org \
--cc=masami256@gmail.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=xiaolong.ye@intel.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox