Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Nikolay Borisov
On 11/18/2015 04:58 PM, Al Viro wrote: > On Wed, Nov 18, 2015 at 08:22:38AM -0600, Seth Forshee wrote: > >> But it still requires the admin set it up that way, no? And aren't >> privileges required to set up those devices in the first place? >> >> I'm not saying that it wouldn't be a good idea

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Seth Forshee
On Wed, Nov 18, 2015 at 02:58:18PM +, Al Viro wrote: > On Wed, Nov 18, 2015 at 08:22:38AM -0600, Seth Forshee wrote: > > > But it still requires the admin set it up that way, no? And aren't > > privileges required to set up those devices in the first place? > > > > I'm not saying that it

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Austin S Hemmelgarn
On 2015-11-18 09:58, Al Viro wrote: On Wed, Nov 18, 2015 at 08:22:38AM -0600, Seth Forshee wrote: But it still requires the admin set it up that way, no? And aren't privileges required to set up those devices in the first place? I'm not saying that it wouldn't be a good idea to lock down the

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Al Viro
On Wed, Nov 18, 2015 at 09:05:12AM -0600, Seth Forshee wrote: > Yes, the host admin. I'm not talking about trusting the admin inside the > container at all. Then why not have the same host admin just plain mount it when setting the container up and be done with that? From the host namespace,

Re: [PATCH 3/3] security/apparmor: do not define list_entry_next

2015-11-18 Thread John Johansen
On 11/18/2015 04:14 AM, Sergey Senozhatsky wrote: > Cosmetic. > > Do not define list_entry_next() and use list_next_entry() > from list.h. > two days to late, Geliang Tang already submitted the same patch in [PATCH 3/3] apparmor: use list_next_entry instead of list_entry_next and I've pulled

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Seth Forshee
On Wed, Nov 18, 2015 at 02:10:45PM -0500, Theodore Ts'o wrote: > On Tue, Nov 17, 2015 at 12:34:44PM -0600, Seth Forshee wrote: > > On Tue, Nov 17, 2015 at 05:55:06PM +, Al Viro wrote: > > > On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote: > > > > > > > Shortly after that I plan

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Theodore Ts'o
On Tue, Nov 17, 2015 at 12:34:44PM -0600, Seth Forshee wrote: > On Tue, Nov 17, 2015 at 05:55:06PM +, Al Viro wrote: > > On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote: > > > > > Shortly after that I plan to follow with support for ext4. I've been > > > fuzzing ext4 for a while

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Austin S Hemmelgarn
On 2015-11-17 16:32, Seth Forshee wrote: On Tue, Nov 17, 2015 at 03:54:50PM -0500, Austin S Hemmelgarn wrote: On 2015-11-17 14:16, Seth Forshee wrote: On Tue, Nov 17, 2015 at 02:02:09PM -0500, Austin S Hemmelgarn wrote: On 2015-11-17 12:55, Al Viro wrote: On Tue, Nov 17, 2015 at 11:25:51AM

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Austin S Hemmelgarn
On 2015-11-17 17:01, Seth Forshee wrote: On Tue, Nov 17, 2015 at 09:05:42PM +, Al Viro wrote: On Tue, Nov 17, 2015 at 03:39:16PM -0500, Austin S Hemmelgarn wrote: This is absolutely insane, no matter how much LSM snake oil you slatter on the whole thing. All of a sudden you are exposing

[PATCH 3/3] security/apparmor: do not define list_entry_next

2015-11-18 Thread Sergey Senozhatsky
Cosmetic. Do not define list_entry_next() and use list_next_entry() from list.h. Signed-off-by: Sergey Senozhatsky --- security/apparmor/apparmorfs.c | 10 -- 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/security/apparmor/apparmorfs.c

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Seth Forshee
On Wed, Nov 18, 2015 at 07:23:48AM -0500, Austin S Hemmelgarn wrote: > On 2015-11-17 16:32, Seth Forshee wrote: > >On Tue, Nov 17, 2015 at 03:54:50PM -0500, Austin S Hemmelgarn wrote: > >>On 2015-11-17 14:16, Seth Forshee wrote: > >>>On Tue, Nov 17, 2015 at 02:02:09PM -0500, Austin S Hemmelgarn

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Seth Forshee
On Wed, Nov 18, 2015 at 07:46:53AM -0500, Austin S Hemmelgarn wrote: > On 2015-11-17 17:01, Seth Forshee wrote: > >On Tue, Nov 17, 2015 at 09:05:42PM +, Al Viro wrote: > >>On Tue, Nov 17, 2015 at 03:39:16PM -0500, Austin S Hemmelgarn wrote: > >> > This is absolutely insane, no matter how

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Al Viro
On Wed, Nov 18, 2015 at 08:22:38AM -0600, Seth Forshee wrote: > But it still requires the admin set it up that way, no? And aren't > privileges required to set up those devices in the first place? > > I'm not saying that it wouldn't be a good idea to lock down the backing > stores for those

Re: [PATCH 3/3] security/apparmor: do not define list_entry_next

2015-11-18 Thread Sergey Senozhatsky
On (11/18/15 10:19), John Johansen wrote: > On 11/18/2015 04:14 AM, Sergey Senozhatsky wrote: > > Cosmetic. > > > > Do not define list_entry_next() and use list_next_entry() > > from list.h. > > > > two days to late, > > Geliang Tang already submitted the same patch in > [PATCH 3/3] apparmor:

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread James Morris
On Wed, 18 Nov 2015, Richard Weinberger wrote: > On Wed, Nov 18, 2015 at 4:13 PM, Al Viro wrote: > > On Wed, Nov 18, 2015 at 09:05:12AM -0600, Seth Forshee wrote: > > > >> Yes, the host admin. I'm not talking about trusting the admin inside the > >> container at all. > >

Re: [PATCH v3 0/7] User namespace mount updates

2015-11-18 Thread Richard Weinberger
Am 19.11.2015 um 08:47 schrieb James Morris: > On Wed, 18 Nov 2015, Richard Weinberger wrote: > >> On Wed, Nov 18, 2015 at 4:13 PM, Al Viro wrote: >>> On Wed, Nov 18, 2015 at 09:05:12AM -0600, Seth Forshee wrote: >>> Yes, the host admin. I'm not talking about