lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 15 Jan 2021 12:51:20 -0500
From:   "Theodore Ts'o" <>
To:     Christoph Hellwig <>
Cc:     Dave Chinner <>,
        "Darrick J. Wong" <>,
        Christian Brauner <>,
        Alexander Viro <>,,
        John Johansen <>,
        James Morris <>,
        Mimi Zohar <>,
        Dmitry Kasatkin <>,
        Stephen Smalley <>,
        Casey Schaufler <>,
        Arnd Bergmann <>,
        Andreas Dilger <>,
        OGAWA Hirofumi <>,
        Geoffrey Thomas <>,
        Mrunal Patel <>,
        Josh Triplett <>,
        Andy Lutomirski <>,
        Alban Crequy <>,
        Tycho Andersen <>,
        David Howells <>,
        James Bottomley <>,
        Seth Forshee <>,
        St?phane Graber <>,
        Linus Torvalds <>,
        Aleksa Sarai <>,
        Lennart Poettering <>,
        "Eric W. Biederman" <>,,
        Phil Estes <>, Serge Hallyn <>,
        Kees Cook <>,
        Todd Kjos <>, Paul Moore <>,
        Jonathan Corbet <>,,,,,,,
Subject: Re: [PATCH v5 00/42] idmapped mounts

On Fri, Jan 15, 2021 at 04:24:23PM +0000, Christoph Hellwig wrote:
> That is what the capabilities are designed for and we already check
> for them.

So perhaps I'm confused, but my understanding is that in the
containers world, capabilities are a lot more complicated.  There is:

1) The initial namespace capability set

2) The container's user-namespace capability set

3) The namespace in which the file system is mounted --- which is
      "usually, but not necessarily the initial namespace" and
      presumably could potentially not necessarily be the current
      container's user name space, is namespaces can be hierarchically

Is that correct?  If so, how does this patch set change things (if
any), and and how does this interact with quota administration

On a related note, ext4 specifies a "reserved user" or "reserved
group" which can access the reserved blocks.  If we have a file system
which is mounted in a namespace running a container which is running
RHEL or SLES, and in that container, we have a file system mounted (so
it was not mounted in the initial namespace), with id-mapping --- and
then there is a further sub-container created with its own user
sub-namespace further mapping uids/gids --- will the right thing
happen?  For that matter, how *is* the "right thing" defined?

Sorry if this is a potentially stupid question, but I find user
namespaces and id and capability mapping to be hopefully confusing for
my tiny brain.  :-)

						- Ted

Powered by blists - more mailing lists