| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 May 2014 15:00:33 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: Seth Forshee <seth.forshee@...onical.com> Cc: Serge Hallyn <serge.hallyn@...ntu.com>, Jens Axboe <axboe@...nel.dk>, Serge Hallyn <serge.hallyn@...onical.com>, Arnd Bergmann <arnd@...db.de>, linux-kernel@...r.kernel.org, LXC development mailing-list <lxc-devel@...ts.linuxcontainers.org>, James Bottomley <James.Bottomley@...senPartnership.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces >> Ultimately the technical challenge is how do we create a block device >> that is safe for a user who does not have any capabilities to use, and >> what can we do with that block device to make it useful. > > Yes, and I'd like to get started solving those challenges. But I also > don't think we can address these two points (support partition blkdevs, > help prevent more priveleged users from using a namespace's loop > devices) sufficiently while having an implementation completely > contained within the loop driver as Greg is requesting. My key take away from the conversation is that we should reduce the scope of what is being done to something that makes sense and the propblems are immediately visible. Part of me would like to suggest that fuse and it's ability to imitate device nodes might be a more appropriate solution, to something that just needs block device access and nothing else. For purposes of discussion let's call it unprivloopfs. That can reuse code from the loop device or not as appropriate. Not supporting paritioning I think is a very reasonable first step until it is shown that we can make good use of partitioning support, and there are not better ways of solving the problem. I expect the most productive thing to talk about is what is your immediate goal? Mounting a filesystem? Building an iso? We have a long history with the namespace support of punting on issues and not solving them until a long term maintainable solution becomes clear. Let's do what we can to make the problem and the solution clear. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists