From: ebiederm@xmission.com (Eric W. Biederman)
To: Linux Containers <containers@lists.linux-foundation.org>
Cc: <linux-kernel@vger.kernel.org>, <linux-fsdevel@vger.kernel.org>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: [PATCH review 0/16] user namespace and namespace infrastructure completion
Date: Mon, 19 Nov 2012 07:08:11 -0800 [thread overview]
Message-ID: <87lidx8wbo.fsf@xmission.com> (raw)
The following series of changes completes the user namespace and adds
the much too long delay bits of namespace infrastructure.
This series of changes adds unprivilged creation of all namespaces
support for creating a user namespace with unshare, and support for
entering a user namespace with setns.
The proc namespace files are converted into magic symlinks to avoid
problems with dentry caching excessively keeping a namespace alive and
dentry caching allowing the ptrace_may_access checks to be bypassed.
The proc namespace now have inode numbers that are always the same for
the same user namespace allowing stat to test if two file descriptors
refer to the same namespace.
Eric W. Biederman (16):
userns: Ignore suid and sgid on binaries if the uid or gid can not be mapped
userns: Allow unprivileged users to create user namespaces.
userns: Allow chown and setgid preservation
userns: Allow setting a userns mapping to your current uid.
userns: Allow unprivileged users to create new namespaces
userns: Allow unprivileged use of setns.
userns: Make create_new_namespaces take a user_ns parameter
userns: Kill task_user_ns
userns: Implent proc namespace operations
userns: Implement unshare of the user namespace
procfs: Print task uids and gids in the userns that opened the proc file
userns: For /proc/self/{uid,gid}_map derive the lower userns from the struct file
userns: Allow unprivilged mounts of proc and sysfs
proc: Generalize proc inode allocation
proc: Fix the namespace inode permission checks.
proc: Usable inode numbers for the namespace file descriptors.
fs/attr.c | 11 ++-
fs/exec.c | 9 +--
fs/mount.h | 1 +
fs/namespace.c | 14 +++
fs/proc/array.c | 2 +-
fs/proc/generic.c | 26 +++---
fs/proc/inode.c | 6 +-
fs/proc/namespaces.c | 177 +++++++++++++++++++++++++++++++++++-----
fs/proc/root.c | 1 +
fs/sysfs/mount.c | 1 +
include/linux/cred.h | 2 -
include/linux/ipc_namespace.h | 9 ++-
include/linux/nsproxy.h | 2 +-
include/linux/pid_namespace.h | 1 +
include/linux/proc_fs.h | 18 ++++-
include/linux/user_namespace.h | 10 ++
include/linux/utsname.h | 7 +-
include/net/net_namespace.h | 2 +
init/version.c | 2 +
ipc/msgutil.c | 2 +
ipc/namespace.c | 32 ++++++--
kernel/fork.c | 33 +++++---
kernel/nsproxy.c | 34 ++++----
kernel/pid.c | 1 +
kernel/pid_namespace.c | 12 +++
kernel/ptrace.c | 10 ++-
kernel/sched/core.c | 10 ++-
kernel/user.c | 2 +
kernel/user_namespace.c | 147 +++++++++++++++++++++++++++++----
kernel/utsname.c | 33 ++++++--
net/core/net_namespace.c | 31 +++++++-
security/yama/yama_lsm.c | 12 ++-
32 files changed, 535 insertions(+), 125 deletions(-)
next reply other threads:[~2012-11-19 15:08 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-19 15:08 Eric W. Biederman [this message]
2012-11-19 15:12 ` [PATCH review 01/16] userns: Ignore suid and sgid on binaries if the uid or gid can not be mapped Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 02/16] userns: Allow unprivileged users to create user namespaces Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 03/16] userns: Allow chown and setgid preservation Eric W. Biederman
2012-11-19 17:49 ` Serge Hallyn
2012-11-19 15:12 ` [PATCH review 04/16] userns: Allow setting a userns mapping to your current uid Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 05/16] userns: Allow unprivileged users to create new namespaces Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 06/16] userns: Allow unprivileged use of setns Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 07/16] userns: Make create_new_namespaces take a user_ns parameter Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 08/16] userns: Kill task_user_ns Eric W. Biederman
2012-11-19 22:34 ` Kees Cook
2012-11-19 15:12 ` [PATCH review 09/16] userns: Implent proc namespace operations Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 10/16] userns: Implement unshare of the user namespace Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 11/16] procfs: Print task uids and gids in the userns that opened the proc file Eric W. Biederman
2012-11-19 17:58 ` Serge Hallyn
2012-11-19 15:12 ` [PATCH review 12/16] userns: For /proc/self/{uid,gid}_map derive the lower userns from the struct file Eric W. Biederman
2012-11-19 18:03 ` [PATCH review 12/16] userns: For /proc/self/{uid, gid}_map " Serge Hallyn
2012-11-19 18:29 ` Eric W. Biederman
2012-11-19 21:01 ` Serge Hallyn
2012-11-19 21:09 ` Eric W. Biederman
2012-11-19 21:19 ` Serge Hallyn
2012-11-19 21:27 ` Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 13/16] userns: Allow unprivilged mounts of proc and sysfs Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 14/16] proc: Generalize proc inode allocation Eric W. Biederman
2012-11-19 18:04 ` Serge Hallyn
2012-11-19 15:12 ` [PATCH review 15/16] proc: Fix the namespace inode permission checks Eric W. Biederman
2012-11-19 15:12 ` [PATCH review 16/16] proc: Usable inode numbers for the namespace file descriptors Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87lidx8wbo.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=containers@lists.linux-foundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox