[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87mwedfh7c.fsf@x220.int.ebiederm.org>
Date: Mon, 19 May 2014 17:04:55 -0700
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Seth Forshee <seth.forshee@...onical.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Serge Hallyn <serge.hallyn@...ntu.com>,
Jens Axboe <axboe@...nel.dk>,
Serge Hallyn <serge.hallyn@...onical.com>,
Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org,
LXC development mailing-list
<lxc-devel@...ts.linuxcontainers.org>,
James Bottomley <James.Bottomley@...senPartnership.com>
Subject: Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces
Seth Forshee <seth.forshee@...onical.com> writes:
> What I set out for was feature parity between loop devices in a secure
> container and loop devices on the host. Since some operations currently
> check for system-wide CAP_SYS_ADMIN, the only way I see to accomplish
> this is to push knowledge of the user namespace farther down into the
> driver stack so the check can instead be for CAP_SYS_ADMIN in the user
> namespace associated with the device.
>
> That said, I suspect our current use cases can get by without these
> capabilities. Really though I suspect this is just deferring the
> discussion rather than settling it, and what we'll end up with is little
> more than a fancy way for userspace to ask the kernel to run mknod on
> its behalf.
A fancy way to ask the kernel to run mknod on its behalf is what
/dev/pts is.
When I suggested this I did not mean you should forgo making changes to
allow partitions and the like. What I itended is that you should find a
way to make this safe for users who don't have root capabilities.
Which possibly means that mount needs to learn how to keep a more
privileged user from using your new loop devices.
To get to the point where this is really and truly usable I expect to be
technically daunting.
Ultimately the technical challenge is how do we create a block device
that is safe for a user who does not have any capabilities to use, and
what can we do with that block device to make it useful.
Only when the question is can this kernel functionality which is
otherwise safe confuse a preexisting setuid application do namespace
or container bits significantly come into play.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists