| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <871tooy4nc.fsf@x220.int.ebiederm.org> Date: Thu, 27 Nov 2014 10:44:39 -0600 From: ebiederm@...ssion.com (Eric W. Biederman) To: Lukasz Pawelczyk <l.pawelczyk@...sung.com> Cc: Richard Weinberger <richard@....at>, Ingo Molnar <mingo@...hat.com>, Peter Zijlstra <peterz@...radead.org>, James Morris <james.l.morris@...cle.com>, "Serge E. Hallyn" <serge@...lyn.com>, Serge Hallyn <serge.hallyn@...onical.com>, Al Viro <viro@...iv.linux.org.uk>, Paul Moore <pmoore@...hat.com>, Kees Cook <keescook@...omium.org>, Miklos Szeredi <mszeredi@...e.cz>, Jeff Kirsher <jeffrey.t.kirsher@...el.com>, Nikolay Aleksandrov <nikolay@...hat.com>, Mark Rustad <mark.d.rustad@...el.com>, David Howells <dhowells@...hat.com>, Andrew Morton <akpm@...ux-foundation.org>, Oleg Nesterov <oleg@...hat.com>, Juri Lelli <juri.lelli@...il.com>, Daeseok Youn <daeseok.youn@...il.com>, David Rientjes <rientjes@...gle.com>, Dario Faggioli <raistlin@...ux.it>, Alex Thorlton <athorlton@....com>, Matthew Dempsky <mdempsky@...omium.org>, Vladimir Davydov <vdavydov@...allels.com>, Casey Schaufler <casey@...aufler-ca.com>, LKML <linux-kernel@...r.kernel.org>, "open list\:ABI\/API" <linux-api@...r.kernel.org>, linux-security-module@...r.kernel.org, Linux Containers <containers@...ts.linux-foundation.org>, Lukasz Pawelczyk <havner@...il.com> Subject: Re: [RFC] lsm: namespace hooks Lukasz Pawelczyk <l.pawelczyk@...sung.com> writes: > On czw, 2014-11-27 at 09:42 -0600, Eric W. Biederman wrote: >> Lukasz Pawelczyk <l.pawelczyk@...sung.com> writes: >> >> > On czw, 2014-11-27 at 16:01 +0100, Richard Weinberger wrote: >> >> Am 27.11.2014 um 15:44 schrieb Lukasz Pawelczyk: >> >> > True, the last one is 0x80000000. I did not notice that. Thanks for >> >> > pointing out. >> >> >> >> Isn't this CLONE_IO? >> > >> > Yes, I was merely noticing out loud that it's the last bit of 32bit. >> > >> > After close look though the 0x00001000 appears to be unused >> > >> >> > Any suggestion on what can be done here? New syscal with flags2? >> >> >> >> I'm not sure. But a new syscall would be a candidate. >> >> We are probably going to need to go a couple rounds with this but at >> first approximation I think this functionality needs to be tied to the >> user namespace. This functionality already looks half tied to it. >> >> When mounting filesystems with user namespaces priveleges matures a >> little more you should be able to use unmapped labels. In the near term >> we are looking at filesystems such as tmpfs, fuse and posibly extN. > > I presume you are referring to the Smack namespace readme where I > mentioned mounts with specifying smack labels in the mount options, not > to the quote above? > > I was referring the to the check here that has been changed to > smack_ns_privileged() using ns_capable(): > http://lxr.free-electrons.com/source/security/smack/smack_lsm.c#L462 > > And you can't use an unmapped Smack label inside the namespace, this > would be completely against its idea. > > Anyway, at this point I'm more interested in the LSM namespace. I'll be > doing an RFC for Smack namespace later. > > Unless I misunderstood your mail. I had two points. a) Tie the label mapping to the user namespace, then we don't need any new namespaces. Is there a reason not to tie the label mapping to the user namespace? Needing to modify every userspace that create containers to know about every different lsm looks like a maintenance difficulty I would prefer to avoid. b) For filesystems that don't need uid mapping (say ext2 mounted with user namespace permissions) we shouldn't need LSM mapping either. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists