| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Jan 2015 15:05:25 +0800 From: Ian Kent <ikent@...hat.com> To: "J. Bruce Fields" <bfields@...ldses.org> Cc: Kernel Mailing List <linux-kernel@...r.kernel.org>, David Howells <dhowells@...hat.com>, Oleg Nesterov <onestero@...hat.com>, Trond Myklebust <trond.myklebust@...marydata.com>, Benjamin Coddington <bcodding@...hat.com>, Al Viro <viro@...IV.linux.org.uk>, Jeff Layton <jeff.layton@...marydata.com>, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Re: [RFC PATCH 0/5] Second attempt at contained helper execution On Fri, 2015-01-16 at 10:25 -0500, J. Bruce Fields wrote: > On Fri, Jan 16, 2015 at 09:01:13AM +0800, Ian Kent wrote: > > On Thu, 2015-01-15 at 11:27 -0500, J. Bruce Fields wrote: > > > On Thu, Jan 15, 2015 at 08:26:12AM +0800, Ian Kent wrote: > > > > On Wed, 2015-01-14 at 17:10 -0500, J. Bruce Fields wrote: > > > > > > On Wed, Jan 14, 2015 at 05:32:22PM +0800, Ian Kent wrote: > > > > > > > There are other difficulties to tackle as well, such as how to decide > > > > > > > if contained helper execution is needed. For example, if a mount has > > > > > > > been propagated to a container or bound into the container tree (such > > > > > > > as with the --volume option of "docker run") the root init namespace > > > > > > > may need to be used and not the container namespace. > > > > > > > > > > I think you have to go through each of the existing upcall examples and > > > > > decide what's needed for each. > > > > > > > > > > At least for the nfsv4 idmapper I would've thought the namespace the > > > > > mount was done in would be the right choice, hence my previous question. > > > > > > > > Probably but you don't necessarily know what namespace the mount was > > > > done in. It may have been propagated from another namespace or (although > > > > I don't think it works yet) bound from another container using the > > > > volumes-from docker option. > > > > > > Name-id mappings should be associated with the superblock, I guess--so > > > don't you store a pointer to the right thing there? > > > > Quite possibly but my original point was, without an acceptable > > mechanism to execute the helper we can't know what might need to be done > > to use it. > > At least for me it would be easier to review if it came with at least > one example user. Haven't seen any negative responses but perhaps people are still away over Xmas. In the mean time it's probably a good idea to add some use cases to the series in case the approach is OK. I'll have a look at the nfsd code and see if I can spot the places. Ian -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists