lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1421823925.2789.3.camel@pluto.fritz.box>
Date:	Wed, 21 Jan 2015 15:05:25 +0800
From:	Ian Kent <ikent@...hat.com>
To:	"J. Bruce Fields" <bfields@...ldses.org>
Cc:	Kernel Mailing List <linux-kernel@...r.kernel.org>,
	David Howells <dhowells@...hat.com>,
	Oleg Nesterov <onestero@...hat.com>,
	Trond Myklebust <trond.myklebust@...marydata.com>,
	Benjamin Coddington <bcodding@...hat.com>,
	Al Viro <viro@...IV.linux.org.uk>,
	Jeff Layton <jeff.layton@...marydata.com>,
	"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Re: [RFC PATCH 0/5] Second attempt at contained helper execution

On Fri, 2015-01-16 at 10:25 -0500, J. Bruce Fields wrote:
> On Fri, Jan 16, 2015 at 09:01:13AM +0800, Ian Kent wrote:
> > On Thu, 2015-01-15 at 11:27 -0500, J. Bruce Fields wrote:
> > > On Thu, Jan 15, 2015 at 08:26:12AM +0800, Ian Kent wrote:
> > > > On Wed, 2015-01-14 at 17:10 -0500, J. Bruce Fields wrote:
> > > > > > On Wed, Jan 14, 2015 at 05:32:22PM +0800, Ian Kent wrote:
> > > > > > > There are other difficulties to tackle as well, such as how to decide
> > > > > > > if contained helper execution is needed. For example, if a mount has
> > > > > > > been propagated to a container or bound into the container tree (such
> > > > > > > as with the --volume option of "docker run") the root init namespace
> > > > > > > may need to be used and not the container namespace.
> > > > > 
> > > > > I think you have to go through each of the existing upcall examples and
> > > > > decide what's needed for each.
> > > > > 
> > > > > At least for the nfsv4 idmapper I would've thought the namespace the
> > > > > mount was done in would be the right choice, hence my previous question.
> > > > 
> > > > Probably but you don't necessarily know what namespace the mount was
> > > > done in. It may have been propagated from another namespace or (although
> > > > I don't think it works yet) bound from another container using the
> > > > volumes-from docker option.
> > > 
> > > Name-id mappings should be associated with the superblock, I guess--so
> > > don't you store a pointer to the right thing there?
> > 
> > Quite possibly but my original point was, without an acceptable
> > mechanism to execute the helper we can't know what might need to be done
> > to use it.
> 
> At least for me it would be easier to review if it came with at least
> one example user.

Haven't seen any negative responses but perhaps people are still away
over Xmas.

In the mean time it's probably a good idea to add some use cases to the
series in case the approach is OK.

I'll have a look at the nfsd code and see if I can spot the places.

Ian


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ