lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 16 Jan 2015 10:25:27 -0500
From:	"J. Bruce Fields" <bfields@...ldses.org>
To:	Ian Kent <ikent@...hat.com>
Cc:	Kernel Mailing List <linux-kernel@...r.kernel.org>,
	David Howells <dhowells@...hat.com>,
	Oleg Nesterov <onestero@...hat.com>,
	Trond Myklebust <trond.myklebust@...marydata.com>,
	Benjamin Coddington <bcodding@...hat.com>,
	Al Viro <viro@...IV.linux.org.uk>,
	Jeff Layton <jeff.layton@...marydata.com>,
	"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Re: [RFC PATCH 0/5] Second attempt at contained helper execution

On Fri, Jan 16, 2015 at 09:01:13AM +0800, Ian Kent wrote:
> On Thu, 2015-01-15 at 11:27 -0500, J. Bruce Fields wrote:
> > On Thu, Jan 15, 2015 at 08:26:12AM +0800, Ian Kent wrote:
> > > On Wed, 2015-01-14 at 17:10 -0500, J. Bruce Fields wrote:
> > > > > On Wed, Jan 14, 2015 at 05:32:22PM +0800, Ian Kent wrote:
> > > > > > There are other difficulties to tackle as well, such as how to decide
> > > > > > if contained helper execution is needed. For example, if a mount has
> > > > > > been propagated to a container or bound into the container tree (such
> > > > > > as with the --volume option of "docker run") the root init namespace
> > > > > > may need to be used and not the container namespace.
> > > > 
> > > > I think you have to go through each of the existing upcall examples and
> > > > decide what's needed for each.
> > > > 
> > > > At least for the nfsv4 idmapper I would've thought the namespace the
> > > > mount was done in would be the right choice, hence my previous question.
> > > 
> > > Probably but you don't necessarily know what namespace the mount was
> > > done in. It may have been propagated from another namespace or (although
> > > I don't think it works yet) bound from another container using the
> > > volumes-from docker option.
> > 
> > Name-id mappings should be associated with the superblock, I guess--so
> > don't you store a pointer to the right thing there?
> 
> Quite possibly but my original point was, without an acceptable
> mechanism to execute the helper we can't know what might need to be done
> to use it.

At least for me it would be easier to review if it came with at least
one example user.

--b.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ