lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <mmhcgt6axn2kabwwu7n25v3s7yomcnynbrbaith7ecjhxtt6f6@mwjnpt4lzyzr>
Date: Tue, 20 Feb 2024 20:01:43 -0500
From: Kent Overstreet <kent.overstreet@...ux.dev>
To: Stéphane Graber <stgraber@...raber.org>
Cc: James Bottomley <James.Bottomley@...senpartnership.com>, 
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, lsf-pc@...ts.linux-foundation.org, 
	Christian Brauner <christian@...uner.io>, Aleksandr Mikhalitsyn <aleksandr.mikhalitsyn@...onical.com>
Subject: Re: [LSF TOPIC] beyond uidmapping, & towards a better security model

On Tue, Feb 20, 2024 at 07:56:32PM -0500, Stéphane Graber wrote:
> Hey there,
> 
> Sorry, I don't have the time to go through all the details in this
> post to provide an adequate response, I'm adding Aleksandr who may be
> able to provide more details on what we've been up to (what James
> alluded to).
> 
> Our proposal is effectively bumping the in-kernel kuid_t/kgid_t from
> uint32 to uint64, which allows for individual user namespaces to get a
> full usable uint32 uid/gid range in the kernel. Obviously any kind of
> data persistence needs some mapping (VFS idmap) and there are a bunch
> of other corner cases as to how this is all exposed to userspace.
> 
> The idea around this stuff started back at Plumbers / Kernel summit
> all the way back in 2019 with a bit of refinement on the idea on and
> off ever since.
> We now have a functional patchset and example userspace code at:
>  - https://github.com/mihalicyn/isolated-userns
>  - https://github.com/mihalicyn/linux/commits/isolated_userns
> 
> If you don't mind watching a video, we have a reasonably detailed talk
> on the topic as well as demo and useful audience questions and
> feedback from FOSDEM here: https://www.youtube.com/watch?v=mOLzSzpVwHU
> 
> After talking about this with folks at a number of LPC / kernel summit
> / FOSDEM by this point, our next step is going to be an RFC patchset,
> I think at this point we just want the cgroupfs issue sorted out
> before sending that out.
> 
> I'll try to set some time to go through your full e-mail later this
> week if Alex doesn't get to it first!

Looking forward to it!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ