[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170713191429.vfaetqscxd7hniwq@thunk.org>
Date: Thu, 13 Jul 2017 15:14:29 -0400
From: Theodore Ts'o <tytso@....edu>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Stefan Berger <stefanb@...ux.vnet.ibm.com>,
"Serge E. Hallyn" <serge@...lyn.com>,
containers@...ts.linux-foundation.org, lkp@...org,
linux-kernel@...r.kernel.org, zohar@...ux.vnet.ibm.com,
tycho@...ker.com, James.Bottomley@...senPartnership.com,
vgoyal@...hat.com, christian.brauner@...lbox.org,
amir73il@...il.com, linux-security-module@...r.kernel.org,
casey@...aufler-ca.com
Subject: Re: [PATCH v2] xattr: Enable security.capability in user namespaces
On Thu, Jul 13, 2017 at 12:39:10PM -0500, Eric W. Biederman wrote:
> > Can you define what 'scalable' means for you in this context?
> > From what I can see sharing a filesystem between multiple containers
> > doesn't 'scale well' for virtualizing the xattrs primarily because of
> > size limitations of xattrs per file.
>
> Worse than that I believe you will find that filesystems are built on
> the assumption that there will be a small number of xattrs per file.
> So even if the vfs limitations were lifted the filesystem performance
> would suffer.
That's why I've been pushing here. If people try to do
security.capable@...=1000
security.capable@...=2000
security.capable@...=3000
security.capable@...=4000
security.capable@...=5000
security.capable@...=6000
security.capable@...=7000
security.capable@...=8000
security.capable@...=9000
.
.
.
... where the values of all of these will be the same, this is going
to be *awful* even if the file system can support it.
So maybe we are better off if we define an xattr
security.capable@...st-container
... so the property is that it is ignored by the host ("real")
container, and in all of the subcontainers, it will be used if the
local container root is trying to execute the file.
Now, this doesn't support the solution of the "turtles all the way
down" insane containers configuraiton.
E.g., where in one container we boot a RHEL distro, which then
launches another container running another RHEL distro, and repeat
this 1000 times, for a very deeply nested subsubsubsubsub...container.
I think this is insane and we shouldn't support this, but I know there
are people who think this is a perfectly sane thing to do.
The other thing this doesn't support is someone who wants to use IMA,
and where the every single IMA is using a different signed HMAC:
security.ima@...=1000
security.ima@...=2000
security.ima@...=3000
security.ima@...=4000
security.ima@...=5000
security.ima@...=6000
security.ima@...=7000
security.ima@...=8000
security.ima@...=9000
.
.
.
Where each security IMA could either be a 32 byte HMAC, or worse, a
256 byte RSA signed signature. Now let's assume there are 10,000
containers, each of which needs a separate RSA signature. This sounds
insane.... but I've seen things that I've thought were more insane
coming out of containerland, so it would be nice if we can get
something signed in blood promisng that no, we would *never* do
something that insane, or better yet, make it impossible to do from an
architectural standpoint.
- Ted
Powered by blists - more mailing lists