[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1314993400-6910-1-git-send-email-serge@hallyn.com>
Date: Fri, 2 Sep 2011 19:56:23 +0000
From: Serge Hallyn <serge@...lyn.com>
To: akpm@...l.org, segooon@...il.com, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, containers@...ts.linux-foundation.org,
dhowells@...hat.com, ebiederm@...ssion.com, rdunlap@...otime.net
Subject: user namespaces v3: continue targetting capabilities
This was last sent Jul 26, and incorporates feedback from that thread.
The last patch, 0015-make-kernel-signal.c-user-ns-safe-v2.patch, is new,
so could stand extra scrutiny.
This patchset is a basis for Eric's set which allows assigning a
filesystem to a user namespace
(http://git.kernel.org/?p=linux/kernel/git/ebiederm/linux-userns-devel.git),
which is the last hurdle to starting to employ user namespaces to help
constrain root in a container. So if there is no more major feedback,
I'd love to see this get a spin in -mm so we can proceed with that.
[ v2 intro message: ]
here is a set of patches to continue targetting capabilities
where appropriate. This set goes about as far as is possible
without making the VFS user namespace aware, meaning that the
VFS can provide a namespaced view of userids, i.e init_user_ns
sees file owner 500, while child user ns sees file owner 0 or
1000. (There are a few other things, like siginfos, which can
be addressed before we address the VFS).
With this set applied, you can create and configure veth netdevs
if your user namespace owns your network namespace (and you are
privileged), but not otherwise.
Some simple testcases can be found at
https://code.launchpad.net/~serge-hallyn/+junk/usernstests with
packages at
https://launchpad.net/~serge-hallyn/+archive/userns-natty
Feedback very much appreciated.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists