lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 27 Jun 2013 14:43:09 +0100
From:	Chris Webb <chris@...chsys.com>
To:	linux-kernel@...r.kernel.org
Cc:	"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Re: Building a BSD-jail clone out of namespaces

Chris Webb <chris@...chsys.com> writes:

> Prompted by the new userns support merged in the 3.8/3.9 kernels, I've been
> playing with namespaces and trying to understand how I could use them to
> build containers to replace some of my uses of qemu-kvm virtual machines.

I now have most things working as I'd want and am just polishing my
userspace container tool before release to make sure it fits well with
common conventions such as those mentioned at

  http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/

and parses /etc/subuid and /etc/subgid files in the format you've defined
them in your shadow patches. I was delighted by how it all nests nicely,
provided I bind mount my /dev nodes from the level above rather than try to
mknod them in the outer container.

I'd like to arrange for slightly different behaviour when the tool is run at
the top-level 'host' user namespace, for example warning about attempts to
map the dangerous UID 0.

Is there a canonical way to detect when I'm in the top-level user namespace?
I can clearly try doing something which should be impossible for a
non-top-level root user like opening /proc/kpageflags for reading or
/proc/sys/ctrl-alt-del for writing, but I wondered if there was something
more idiomatic as a test? (Some sort of 'get parent namespace' that might
return null at top-level maybe?)

Cheers,

Chris.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ