[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <m162sagvdn.fsf@fess.ebiederm.org>
Date: Wed, 23 Feb 2011 15:54:12 -0800
From: ebiederm@...ssion.com (Eric W. Biederman)
To: David Howells <dhowells@...hat.com>
Cc: "Serge E. Hallyn" <serge@...lyn.com>,
LSM <linux-security-module@...r.kernel.org>,
Andrew Morton <akpm@...l.org>,
James Morris <jmorris@...ei.org>,
Kees Cook <kees.cook@...onical.com>,
containers@...ts.linux-foundation.org,
kernel list <linux-kernel@...r.kernel.org>,
Alexey Dobriyan <adobriyan@...il.com>,
Michael Kerrisk <mtk.manpages@...il.com>, xemul@...allels.com
Subject: Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
David Howells <dhowells@...hat.com> writes:
> Eric W. Biederman <ebiederm@...ssion.com> wrote:
>
>> > Which means that unless the uts_namespace belongs to our user_namespace, we
>> > cannot change it. Is that correct?
>>
>> No. If you are root in a parent namespace you can also change it.
>
> But surely, by definition, if you're a user in this namespace, you can't also
> be root in a parent namespace...
To be clear the case you looked at was:
> - if (!capable(CAP_SYS_ADMIN))
> + if (!ns_capable(current->nsproxy->uts_ns->user_ns, CAP_SYS_ADMIN))
>
> what is it you're actually asking? I presume it's 'does this user have
> CAP_SYS_ADMIN capability over objects belonging to the uts_namespace's
> user_namespace?'
Here "current->nsproxy->uts_ns->user_ns" (the target_ns value) is only
refers to the uts_ns we are talking about.
The user itself comes from current_user().
> For the case I worked through current_user() is a member of current_user_ns()
> and can't also be a member of its parent, grandparent, etc. - or can
> it?
Right now if you are looking at current_user() because of limitations in
the creation ordering I think you are correct.
However in the near term pile of changes to merge, are the syscalls for
joining an existing namespace. At which point there is no reason in
general to suppose the current limitations of creation apply.
Although it is conceivable that unshare of namespaces can also get you
to someplace similar to joining prexisting namespaces.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists