lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Feb 2017 09:19:53 -0800 From: James Bottomley <James.Bottomley@...senPartnership.com> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Vivek Goyal <vgoyal@...hat.com>, Amir Goldstein <amir73il@...il.com>, Djalal Harouni <tixxdz@...il.com>, Chris Mason <clm@...com>, Theodore Tso <tytso@....edu>, Josh Triplett <josh@...htriplett.org>, Andy Lutomirski <luto@...nel.org>, Seth Forshee <seth.forshee@...onical.com>, linux-fsdevel <linux-fsdevel@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org>, LSM List <linux-security-module@...r.kernel.org>, Dongsu Park <dongsu@...ocode.com>, David Herrmann <dh.herrmann@...glemail.com>, Miklos Szeredi <mszeredi@...hat.com>, Alban Crequy <alban.crequy@...il.com>, Al Viro <viro@...iv.linux.org.uk>, "Serge E. Hallyn" <serge@...lyn.com>, Phil Estes <estesp@...il.com> Subject: Re: [RFC 1/1] shiftfs: uid/gid shifting bind mount On Fri, 2017-02-17 at 14:57 +1300, Eric W. Biederman wrote: > I think I am missing something but I completely do not understand > that subthread that says use file marks and perform the work in the > vfs. The problem is that fundamentally we need multiple mappings and > I don't see a mark on a file (even an inherited mark) providing the > mapping so I don't see the point. The point of the mark is that it's a statement by the system administrator that the underlying subtree is safe to be mounted by an unprivileged container in the containers user view (i.e. with current_user_ns() == s_user_ns). For the unprivileged container there's no real arbitrary s_user_ns use case because the unprivileged container must prove it can set up the mapping, so it would likely always be mounting from within a user_ns with the mapping it wanted. James
Powered by blists - more mailing lists