| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Oct 2011 13:57:02 -0400 From: "J. Bruce Fields" <bfields@...ldses.org> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Theodore Tso <tytso@....EDU>, Matt Helsley <matthltc@...ibm.com>, Lennart Poettering <mzxreary@...inter.de>, Kay Sievers <kay.sievers@...y.org>, linux-kernel@...r.kernel.org, harald@...hat.com, david@...ar.dk, greg@...ah.com, Linux Containers <containers@...ts.osdl.org>, Linux Containers <lxc-devel@...ts.sourceforge.net>, "Serge E. Hallyn" <serge@...lyn.com>, Daniel Lezcano <daniel.lezcano@...e.fr>, Paul Menage <paul@...lmenage.org> Subject: Re: Detecting if you are running in a container On Tue, Oct 11, 2011 at 02:16:24PM -0700, Eric W. Biederman wrote: > It actually isn't much complexity and for the most part the code that > I care about in that area is already merged. In principle all I care > about are having the identiy checks go from: > (uid1 == uid2) to ((user_ns1 == user_ns2) && (uid1 == uid2)) > > There are some per subsystem sysctls that do make sense to make per > subsystem and that work is mostly done. I expect there are a few > more in the networking stack that interesting to make per network > namespace. > > The only real world issue right now that I am aware of is the user > namespace aren't quite ready for prime-time and so people run into > issues where something like sysctl -a during bootup sets a bunch of > sysctls and they change sysctls they didn't mean to. Once the > user namespaces are in place accessing a truly global sysctl will > result in EPERM when you are in a container and everyone will be > happy. ;) > > > Where all of this winds up interesting in the field of oncoming kernel > work is that uids are persistent and are stored in file systems. So > once we have all of the permission checks in the kernel tweaked to care > about user namespaces we next look at the filesystems. The easy > initial implementation is going to be just associating a user namespace > with a super block. But farther out being able to store uids from > different user namespaces on the same filesystem becomes an interesting > problem. Yipes. Why would anyone want to do that? --b. > We already have things like user mapping in 9p and nfsv4 so it isn't > wholly uncharted territory. But it could get interesting. Just > a heads up. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists