On 17.10.20 18:51, Eric W. Biederman wrote:
Hi folks,
>> I believe subusers aren't meant for tyical containers (like docker or
>> lxc), but unprivileged user programs that wanna have further isolation
>> for subprocesses (eg. a browser's renderer or js engine).
>>
>> Correct me if I'm wrong.
>
"Serge E. Hallyn" writes:
> On Tue, Oct 13, 2020 at 05:17:36PM +0200, Giuseppe Scrivano wrote:
>> "Serge E. Hallyn" writes:
>>
>> > On Mon, Oct 12, 2020 at 07:05:10PM +0200, Giuseppe Scrivano wrote:
>> >> Josh Triplett writes:
>> >>
>> >> > On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E.
On Sat, Oct 17, 2020 at 11:51:22AM -0500, Eric W. Biederman wrote:
> "Enrico Weigelt, metux IT consult" writes:
>
> > On 30.08.20 16:39, Christian Brauner wrote:
> >
> > Hi Christian,
> >
> >> P1. Isolated id mappings can only be guaranteed to be locally isolated.
> >> A container
"Enrico Weigelt, metux IT consult" writes:
> On 30.08.20 16:39, Christian Brauner wrote:
>
> Hi Christian,
>
>> P1. Isolated id mappings can only be guaranteed to be locally isolated.
>> A container runtime/daemon can only guarantee non-overlapping id mappings
>> when no other users on
"Serge E. Hallyn" writes:
> On Wed, Oct 14, 2020 at 02:46:46PM -0500, Eric W. Biederman wrote:
>> "Serge E. Hallyn" writes:
>>
>> > On Mon, Oct 12, 2020 at 12:01:09AM -0500, Eric W. Biederman wrote:
>> >> Andy Lutomirski writes:
>> >>
>> >> > On Sun, Oct 11, 2020 at 1:53 PM Josh Triplett
On 30.08.20 16:39, Christian Brauner wrote:
Hi Christian,
> P1. Isolated id mappings can only be guaranteed to be locally isolated.
> A container runtime/daemon can only guarantee non-overlapping id mappings
> when no other users on the system create containers.
Indeed. But couldn't we
On Tue, Oct 13, 2020 at 05:17:36PM +0200, Giuseppe Scrivano wrote:
> "Serge E. Hallyn" writes:
>
> > On Mon, Oct 12, 2020 at 07:05:10PM +0200, Giuseppe Scrivano wrote:
> >> Josh Triplett writes:
> >>
> >> > On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
> >> >> > 3. Find a
On Wed, Oct 14, 2020 at 02:46:46PM -0500, Eric W. Biederman wrote:
> "Serge E. Hallyn" writes:
>
> > On Mon, Oct 12, 2020 at 12:01:09AM -0500, Eric W. Biederman wrote:
> >> Andy Lutomirski writes:
> >>
> >> > On Sun, Oct 11, 2020 at 1:53 PM Josh Triplett
> >> > wrote:
> >> >>
> >> >> On Fri,
"Serge E. Hallyn" writes:
> On Mon, Oct 12, 2020 at 12:01:09AM -0500, Eric W. Biederman wrote:
>> Andy Lutomirski writes:
>>
>> > On Sun, Oct 11, 2020 at 1:53 PM Josh Triplett
>> > wrote:
>> >>
>> >> On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
>> >> > > 3. Find a way to
"Serge E. Hallyn" writes:
> On Mon, Oct 12, 2020 at 07:05:10PM +0200, Giuseppe Scrivano wrote:
>> Josh Triplett writes:
>>
>> > On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
>> >> > 3. Find a way to allow setgroups() in a user namespace while keeping
>> >> >in mind the
On Mon, Oct 12, 2020 at 07:05:10PM +0200, Giuseppe Scrivano wrote:
> Josh Triplett writes:
>
> > On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
> >> > 3. Find a way to allow setgroups() in a user namespace while keeping
> >> >in mind the case of groups used for negative
Josh Triplett writes:
> On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
>> > 3. Find a way to allow setgroups() in a user namespace while keeping
>> >in mind the case of groups used for negative access control.
>> >This was suggested by Josh Triplett and Geoffrey Thomas.
On Mon, Oct 12, 2020 at 12:01:09AM -0500, Eric W. Biederman wrote:
> Andy Lutomirski writes:
>
> > On Sun, Oct 11, 2020 at 1:53 PM Josh Triplett wrote:
> >>
> >> On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
> >> > > 3. Find a way to allow setgroups() in a user namespace
Andy Lutomirski writes:
> On Sun, Oct 11, 2020 at 1:53 PM Josh Triplett wrote:
>>
>> On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
>> > > 3. Find a way to allow setgroups() in a user namespace while keeping
>> > >in mind the case of groups used for negative access
On Sun, Oct 11, 2020 at 1:53 PM Josh Triplett wrote:
>
> On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
> > > 3. Find a way to allow setgroups() in a user namespace while keeping
> > >in mind the case of groups used for negative access control.
> > >This was suggested by
On Fri, Oct 09, 2020 at 11:26:06PM -0500, Serge E. Hallyn wrote:
> > 3. Find a way to allow setgroups() in a user namespace while keeping
> >in mind the case of groups used for negative access control.
> >This was suggested by Josh Triplett and Geoffrey Thomas. Their idea was
> > to
> >
> 3. Find a way to allow setgroups() in a user namespace while keeping
>in mind the case of groups used for negative access control.
>This was suggested by Josh Triplett and Geoffrey Thomas. Their idea was to
>investigate adding a prctl() to allow setgroups() to be called in a user
>
Hello everyone,
## Preliminaries
This is the summary of the Hackroom session Stéphane and I led as a follow-up
to our presentations in the Containers & Checkpoint/Restore micro-conference at
Linux Plumbers 2020.
Please make sure to see the Action Items section below as it outlines the next
18 matches
Mail list logo
