Re: [PATCH] userns/capability: Add user namespace capability

On Thu, Oct 22, 2015 at 1:45 PM, Eric W. Biederman wrote: > > Thank you for a creative solution to a problem that you perceive. I > appreciate it when people aim to solve problems they see. > > Tobias Markus writes: > >> On 17.10.2015 23:55, Serge E.

Re: [PATCH] userns/capability: Add user namespace capability

Andy Lutomirski writes: > At the risk of pointing out a can of worms, the attack surface also > includes things like the iptables configuration APIs, parsers, and > filter/conntrack/action modules. It is worth noting that module auto-load does not happen if the triggering

Re: [PATCH] userns/capability: Add user namespace capability

On Oct 19, 2015 7:25 AM, "Austin S Hemmelgarn" wrote: > > On 2015-10-17 11:58, Tobias Markus wrote: >> >> Add capability CAP_SYS_USER_NS. >> Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace >> when calling clone or unshare with CLONE_NEWUSER. >> >>

Re: [PATCH] userns/capability: Add user namespace capability

Am 19.10.2015 um 14:36 schrieb Yves-Alexis Perez: > On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote: >> We shouldn't need a long-term solution. Your concern is bugs. After >> some time surely we'll feel that we have achieved a stable solution? > > But this is actually the whole point:

Re: [PATCH] userns/capability: Add user namespace capability

On dim., 2015-10-18 at 20:41 -0500, Serge E. Hallyn wrote: > We shouldn't need a long-term solution.  Your concern is bugs.  After > some time surely we'll feel that we have achieved a stable solution? But this is actually the whole point: we need a long term solution, because they will always be

Re: [PATCH] userns/capability: Add user namespace capability

On 2015-10-17 11:58, Tobias Markus wrote: Add capability CAP_SYS_USER_NS. Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace when calling clone or unshare with CLONE_NEWUSER. Rationale: Linux 3.8 saw the introduction of unpriviledged user namespaces, allowing unpriviledged

Re: [PATCH] userns/capability: Add user namespace capability

Am 18.10.2015 um 22:41 schrieb Tobias Markus: > On 18.10.2015 22:21, Richard Weinberger wrote: >> Am 18.10.2015 um 22:13 schrieb Tobias Markus: >>> On 17.10.2015 22:17, Richard Weinberger wrote: On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: > One question

Re: [PATCH] userns/capability: Add user namespace capability

Am 18.10.2015 um 22:13 schrieb Tobias Markus: > On 17.10.2015 22:17, Richard Weinberger wrote: >> On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: >>> One question remains though: Does this break userspace executables that >>> expect being able to create user namespaces

Re: [PATCH] userns/capability: Add user namespace capability

On 18.10.2015 22:21, Richard Weinberger wrote: > Am 18.10.2015 um 22:13 schrieb Tobias Markus: >> On 17.10.2015 22:17, Richard Weinberger wrote: >>> On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: One question remains though: Does this break userspace executables that

Re: [PATCH] userns/capability: Add user namespace capability

On Sat, Oct 17, 2015 at 5:58 PM, Tobias Markus wrote: > One question remains though: Does this break userspace executables that > expect being able to create user namespaces without priviledge? Since > creating user namespaces without CAP_SYS_ADMIN was not possible before >

Re: [PATCH] userns/capability: Add user namespace capability

On Sat, Oct 17, 2015 at 05:58:04PM +0200, Tobias Markus wrote: > Add capability CAP_SYS_USER_NS. > Tasks having CAP_SYS_USER_NS are allowed to create a new user namespace > when calling clone or unshare with CLONE_NEWUSER. > > Rationale: > > Linux 3.8 saw the introduction of unpriviledged user