On Mon, Jan 16, 2017 at 12:29 PM, <sf...@users.sourceforge.net> wrote: > > Arun Chandran: >> # id >> uid=1001(test) gid=1001(test) groups=1001(test) > ::: >> # cd layer1/ >> # >.wh..wh.aufs >> # ln .wh..wh.aufs .wh.0.txt > > Ok, succeeded with a normal user. > How about as a superuser? > > cd layer1 > sudo touch .wh..wh.aufs > ln .wh..wh.aufs .wh.0.txt > > Is .wh..wh.aufs created with access="_"? > Is .wh.0.txt failed to be linked? > No, It succeeded and created with label "k1", please see below # mkdir layer0 layer1 rootfs_mnt # echo 0 > layer0/0.txt # echo 1 > layer1/1.txt # # cd layer1/ # sudo touch .wh..wh.aufs # ln .wh..wh.aufs .wh.0.txt # ./.wh.0.txt access="k1" ./.wh..wh.aufs access="k1" ./1.txt access="k1"
> >> From the root terminal I can change labels of all the .wh* files and >> can also change their ownership to normal user. >> This can be performed after the mount operation and it will allow me >> to get the desired result. >> >> Do you see any security risk in doing so? > > It seems breaking what smack is trying to protect by access="_". I don't > know what it is. But as long as it is acceptable for you and you can get > the desired result, it might be a good way to go. > > >> Is their any way of differing the formation of .wh.* files till >> somebody really starts doing some >> file operations? In that way those files will always get the label of >> the guy who is doing the operation. > > It is up to how the smack label is set. > Note that aufs doesn't care about smack settings, and just follows the > behaviour of its branch fs's and smack's. As long as > - smack sets access="_" to the files which a superuser created. > - you mount aufs as a superuser. > then, the symptom looks a correct result. > If you just want to set access= other than "_", then you can do it by > either resetting after mount or changing the mount-user other than root > (based on the capability). OK. I will have to manually change the labels for aufs meta data files (.wh.*). Only the root user will have the necessary capabilities, all other users will be having limited capabilities. > >> root user will label the layers and do aufs mount of the layers before >> starting the container. The processes running inside the container >> will also have a unique label such as k0,k1,... kN and they should be >> able to do any kind of operations in their respective aufs mounted >> directories. > > So all the files which are set the label are unique to the container > respectively, right? There will be no files shared between cocntainers > at all? Or a single file can have multiple smack labels? Yes. There won't be any sharing of files between containers; all the files in a container will have unique label which is different from the other containers. A single file can have only one label. --Arun ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
