lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Aug 2007 08:09:04 -0500 From: "Serge E. Hallyn" <serue@...ibm.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Michael Kerrisk <mtk-manpages@....net>, "Serge E. Hallyn" <serue@...ibm.com>, lkml <linux-kernel@...r.kernel.org>, Kirill Korotaev <dev@...nvz.org>, Herbert Poetzl <herbert@...hfloor.at>, Andrey Savochkin <saw@...ru>, Adrian Bunk <bunk@...sta.de>, Cedric Le Goater <clg@...ibm.com>, Chris Wright <chrisw@...s-sol.org>, Stephen Smalley <sds@...ho.nsa.gov>, James Morris <jmorris@...ei.org>, Andrew Morgan <agm@...gle.com> Subject: Re: CLONE_NEWUSER documentation Quoting Eric W. Biederman (ebiederm@...ssion.com): > Michael Kerrisk <mtk-manpages@....net> writes: > > > Hello Serge, > > > > In 2.6.23-rc, your patch to add support for CLONE_NEWUSER is included. Is > > there there some for-userland-programmers documentation of this flag > > somewhere? Would you be able to send some documentation to me (ideally as > > a patch to the clone.2 man page, but otherwise some plain text will do). > > > > If this flag is also supported for unshare(), then could you please send me > > a patch/text for that too? > > Currently this namespace is a work in progress marked with CONFIG_EXPERIMENTAL > because it is very much still experimental and under development. > > There may be other omissions but the one I am most aware of is that > the in kernel user and group equality comparisons have not become been > transformed from the form uid1 == uid2 to user_namespace1 == user_namespace2 && > uid1 == uid2. I think the two main omissions are that one, and the fact that there is no concept of a capability mask or per-namespace/cross-namespace capabilities. What is implemented is separate accounting for the same uid in different namespaces. Until the shortcomings are addressed, depending on one's use case, one may want to use selinux to control access across user namespaces. > Until that happens that user namespace remains incomplete and not very > useful. So the advice to users for now that unless they want to help > finish this up do not use. thanks, -serge - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists