Quoting Nikolay Borisov (n.borisov.l...@gmail.com):
> This patch changes the export attributes of the init_user_ns from
> GPL-only to any modules. This needed so that non-gpl modules, such as
> ZFS, utilize functions like i_(uid|gid)_(read|write).
>
> Signed-off-by: Nikolay Borisov
Seems reasona
Hey James,
I probably did something wrong - but i applied your patch onto 4.6,
compiled in shiftfs, did
mount -t shiftfs -o uidmap=0:10:65536,gidmap=0:10:65536 /home/ubuntu
/mnt
and ls segfaults and gives me kernel syslog msgs like:
[ 1089.744726] ===
[ 108
Quoting Djalal Harouni (tix...@gmail.com):
> Hi,
>
> On Wed, May 04, 2016 at 11:30:09PM +0000, Serge Hallyn wrote:
> > Quoting Djalal Harouni (tix...@gmail.com):
> > > This is version 2 of the VFS:userns support portable root filesystems
> > > RFC. Changes since
Quoting Tyler Hicks (tyhi...@canonical.com):
> The capability check should not be audited since it is only being used
> to determine the inode permissions. A failed check does not indicate a
> violation of security policy but, when an LSM is enabled, a denial audit
> message was being generated.
>
Quoting Tyler Hicks (tyhi...@canonical.com):
> When checking the current cred for a capability in a specific user
> namespace, it isn't always desirable to have the LSMs audit the check.
> This patch adds a noaudit variant of ns_capable() for when those
> situations arise.
>
> The common logic bet
Quoting Djalal Harouni (tix...@gmail.com):
> This is version 2 of the VFS:userns support portable root filesystems
> RFC. Changes since version 1:
>
> * Update documentation and remove some ambiguity about the feature.
> Based on Josh Triplett comments.
> * Use a new email address to send the RF
Quoting Djalal Harouni (tix...@gmail.com):
> If a process gets access to a mount from a different user
> namespace, that process should not be able to take advantage of
> setuid files or selinux entrypoints from that filesystem. Prevent
> this by treating mounts from other mount namespaces and tho
Hi,
I've sent a few patches and emails over the past months about supporting
file capabilities in user namespace confined containers. A few of the
requirements as I see them are:
1. Root in a user namespace should be able to set file capabilities on a binary
for use by any user mapped into his n
From: Serge Hallyn
This can only be set by root in his own namespace, and will
only be respected by namespaces with that same root kuid
mapped as root, or namespaces descended from it.
This allows a simple setxattr to work, allows tar/untar to
work, and allows us to tar in one namespace and
From: Serge Hallyn
When showing a cgroupfs entry in mountinfo, show the
path of the mount root dentry relative to the reader's
cgroup namespace root.
Signed-off-by: Serge Hallyn
---
fs/kernfs/mount.c | 14 ++
include/linux/kernfs.h | 2 ++
kernel/cgroup.c
With the current cgroup namespace patches, the root dentry path of a
mount as shown in /proc/self/mountinfo is the full global cgroup
path. It is common for userspace to use /proc/self/mountinfo to
search for cgroup mountpoints, and expect the root dentry path to
relate to the cgroup paths in /pro
From: Serge Hallyn
We've calculated @len to be the bytes we need for '/..' entries from
@kn_from to the common ancestor, and calculated @nlen to be the extra
bytes we need to get from the common ancestor to @kn_to. We use them
as such at the end. But in the loop copying the act
Quoting Kees Cook (keesc...@chromium.org):
> This section of code initially looks redundant, but is required. This
> improves the comment to explain more clearly why the reset is needed.
>
> Signed-off-by: Kees Cook
Thanks, Kees.
Acked-by: Serge E. Hallyn
> ---
> fs/exec.c | 7 ++-
> 1 f
Quoting Andy Lutomirski (l...@kernel.org):
> We used to have ptmx be owned by the inner uid and gid 0. Change
> this: if the owner and group are both mapped but are not both 0,
> then use the owner instead.
>
> For container-style namespaces (LXC, etc), this should have no
> effect -- UID 0 is wi
Quoting Eric W. Biederman (ebied...@xmission.com):
> Seth Forshee writes:
>
> > Some full-OS container software bind mounts debugfs into containers to
> > satisfy the assumptions of older userspaces which expect to be able to
> > mount debugfs. This regressed in 4.1 due to the addition of tracefs
Quoting Alban Crequy (alban.cre...@gmail.com):
> Hi,
>
> On 29 January 2016 at 09:54, wrote:
> > Hi,
> >
> > following is a revised set of the CGroup Namespace patchset which Aditya
> > Kali has previously sent. The code can also be found in the cgroupns.v10
> > branch of
> >
> > https://git.ke
Quoting Tycho Andersen (tycho.ander...@canonical.com):
> Operations with the GENL_ADMIN_PERM flag fail permissions checks because
> this flag means we call netlink_capable, which uses the init user ns.
>
> Instead, let's introduce a new flag, GENL_UNS_ADMIN_PERM for operations
> which should be al
-tools
(like libcontainer, lxc, lmctfy, etc.) to create completely virtualized
containers without leaking system level cgroup hierarchy to the task.
This patch only implements the 'unshare' part of the cgroupns.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
Changelog:
of threadgroup_lock() while creating new cgroupns
- use task_lock() instead of rcu_read_lock() while accessing
task->nsproxy
- optimized setns() to own cgroupns
- simplified code around sane-behavior mount option parsing
4. Restored ACKs from Serge Hallyn from v1 on few patches t
From: Aditya Kali
The new function kernfs_path_from_node() generates and returns kernfs
path of a given kernfs_node relative to a given parent kernfs_node.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
Acked-by: Greg Kroah-Hartman
---
Changelog 20151125:
- Fully-wing multilineco
From: Serge Hallyn
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
Signed-off-by: Tejun Heo
---
Changelog (2015-12-08):
Merge into Documentation/cgroup.txt
Changelog (2015-12-22):
Reformat to try to follow the style of the rest of the cgroup.txt file.
Changelog (2015-12-22):
tj
From: Serge Hallyn
This patch enables cgroup mounting inside userns when a process
as appropriate privileges. The cgroup filesystem mounted is
rooted at the cgroupns-root. Thus, in a container-setup, only
the hierarchy under the cgroupns-root is exposed inside the container.
This allows
From: Serge Hallyn
allowing root in a non-init user namespace to mount it. This should
now be safe, because
1. non-init-root cannot mount a previously unbound subsystem
2. the task doing the mount must be privileged with respect to the
user namespace owning the cgroup namespace
3. the
From: Aditya Kali
CLONE_NEWCGROUP will be used to create new cgroup namespace.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
include/uapi/linux/sched.h |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/include/uapi/linux/sched.h b/include/uapi/linux
From: Aditya Kali
Add a new kernfs api is added to lookup the dentry for a particular
kernfs path.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
Acked-by: Greg Kroah-Hartman
---
Changelog:
20151116 - Don't allow user namespaces to bind new subsystems
20151118 - pos
From: Aditya Kali
setns on a cgroup namespace is allowed only if
task has CAP_SYS_ADMIN in its current user-namespace and
over the user-namespace associated with target cgroupns.
No implicit cgroup changes happen with attaching to another
cgroupns. It is expected that the somone moves the attachi
Quoting Josh Boyer (jwbo...@fedoraproject.org):
> On Tue, Jan 26, 2016 at 9:46 AM, Austin S. Hemmelgarn
> wrote:
> > On 2016-01-26 09:38, Josh Boyer wrote:
> >>
> >> On Mon, Jan 25, 2016 at 11:57 PM, Eric W. Biederman
> >> wrote:
> >>>
> >>> Kees Cook writes:
> >>>
> On Mon, Jan 25, 2016 at
Quoting Josh Boyer (jwbo...@fedoraproject.org):
> On Mon, Jan 25, 2016 at 11:57 PM, Eric W. Biederman
> wrote:
> > Kees Cook writes:
> >
> >> On Mon, Jan 25, 2016 at 11:33 AM, Eric W. Biederman
> >> wrote:
> >>> Kees Cook writes:
>
> Well, I don't know about less weird, but it would l
Quoting Kees Cook (keesc...@chromium.org):
> On Fri, Jan 22, 2016 at 7:02 PM, Eric W. Biederman
> > So I have concerns about both efficacy and usability with the proposed
> > sysctl.
>
> Two distros already have this sysctl because it was so strongly
> requested by their users. This needs to be up
Quoting Kees Cook (keesc...@chromium.org):
> On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote:
> > 2016-01-22 23:50 GMT+01:00 Kees Cook :
> >
> >>> Seems that Debian and some older Ubuntu versions are already using
> >>>
> >>> $ sysctl -a | grep usern
> >>> kernel.unprivileged_userns_clone =
Quoting Kees Cook (keesc...@chromium.org):
> On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki wrote:
> > 2016-01-22 23:50 GMT+01:00 Kees Cook :
> >
> >>> Seems that Debian and some older Ubuntu versions are already using
> >>>
> >>> $ sysctl -a | grep usern
> >>> kernel.unprivileged_userns_clone =
From: Aditya Kali
The new function kernfs_path_from_node() generates and returns kernfs
path of a given kernfs_node relative to a given parent kernfs_node.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
Acked-by: Greg Kroah-Hartman
---
Changelog 20151125:
- Fully-wing multilineco
sk_lock() instead of rcu_read_lock() while accessing
task->nsproxy
- optimized setns() to own cgroupns
- simplified code around sane-behavior mount option parsing
4. Restored ACKs from Serge Hallyn from v1 on few patches that have
not changed since then.
Changes from V1:
1. No pinning of pr
From: Serge Hallyn
This patch enables cgroup mounting inside userns when a process
as appropriate privileges. The cgroup filesystem mounted is
rooted at the cgroupns-root. Thus, in a container-setup, only
the hierarchy under the cgroupns-root is exposed inside the container.
This allows
From: Serge Hallyn
allowing root in a non-init user namespace to mount it. This should
now be safe, because
1. non-init-root cannot mount a previously unbound subsystem
2. the task doing the mount must be privileged with respect to the
user namespace owning the cgroup namespace
3. the
From: Serge Hallyn
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
Signed-off-by: Tejun Heo
---
Changelog (2015-12-08):
Merge into Documentation/cgroup.txt
Changelog (2015-12-22):
Reformat to try to follow the style of the rest of the cgroup.txt file.
Changelog (2015-12-22):
tj
From: Aditya Kali
Add a new kernfs api is added to lookup the dentry for a particular
kernfs path.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
Acked-by: Greg Kroah-Hartman
---
Changelog:
20151116 - Don't allow user namespaces to bind new subsystems
20151118 - pos
From: Aditya Kali
setns on a cgroup namespace is allowed only if
task has CAP_SYS_ADMIN in its current user-namespace and
over the user-namespace associated with target cgroupns.
No implicit cgroup changes happen with attaching to another
cgroupns. It is expected that the somone moves the attachi
-tools
(like libcontainer, lxc, lmctfy, etc.) to create completely virtualized
containers without leaking system level cgroup hierarchy to the task.
This patch only implements the 'unshare' part of the cgroupns.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
Changelog:
From: Aditya Kali
CLONE_NEWCGROUP will be used to create new cgroup namespace.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
include/uapi/linux/sched.h |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/include/uapi/linux/sched.h b/include/uapi/linux
On Mon Dec 28 2015 09:47:35 AM PST, Tejun Heo wrote:
> Hello,
>
> I did some heavy editing of the documentation. How does this look?
Thanks Tejun, just three things (which come from my version):
> Did I miss anything?
>
> Thanks.
> ---
> Documentation/cgroup.txt | 146
> +++
-tools
(like libcontainer, lxc, lmctfy, etc.) to create completely virtualized
containers without leaking system level cgroup hierarchy to the task.
This patch only implements the 'unshare' part of the cgroupns.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
Changelog:
From: Aditya Kali
The new function kernfs_path_from_node() generates and returns kernfs
path of a given kernfs_node relative to a given parent kernfs_node.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
---
Changelog 20151125:
- Fully-wing multilinecomments
- Rework kernfs_path_
From: Serge Hallyn
This patch enables cgroup mounting inside userns when a process
as appropriate privileges. The cgroup filesystem mounted is
rooted at the cgroupns-root. Thus, in a container-setup, only
the hierarchy under the cgroupns-root is exposed inside the container.
This allows
From: Serge Hallyn
allowing root in a non-init user namespace to mount it. This should
now be safe, because
1. non-init-root cannot mount a previously unbound subsystem
2. the task doing the mount must be privileged with respect to the
user namespace owning the cgroup namespace
3. the
From: Aditya Kali
Add a new kernfs api is added to lookup the dentry for a particular
kernfs path.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
---
Changelog:
20151116 - Don't allow user namespaces to bind new subsystems
20151118 - postpone the FS_USERNS_MOUNT flag
From: Aditya Kali
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
Changelog (2015-12-08):
Merge into Documentation/cgroup.txt
Changelog (2015-12-22):
Reformat to try to follow the style of the rest of the cgroup.txt file.
Signed-off-by: Serge Hallyn
---
Documentation
From: Aditya Kali
setns on a cgroup namespace is allowed only if
task has CAP_SYS_ADMIN in its current user-namespace and
over the user-namespace associated with target cgroupns.
No implicit cgroup changes happen with attaching to another
cgroupns. It is expected that the somone moves the attachi
From: Aditya Kali
CLONE_NEWCGROUP will be used to create new cgroup namespace.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
include/uapi/linux/sched.h |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/include/uapi/linux/sched.h b/include/uapi/linux
g
task->nsproxy
- optimized setns() to own cgroupns
- simplified code around sane-behavior mount option parsing
4. Restored ACKs from Serge Hallyn from v1 on few patches that have
not changed since then.
Changes from V1:
1. No pinning of processes within cgroupns. Tasks can be freely moved
Quoting Alban Crequy (alban.cre...@gmail.com):
> From: Alban Crequy
>
> This adds the selftest "cgroupns_test" in order to test the CGroup
> Namespace patchset.
>
> cgroupns_test creates two child processes. They perform a list of
> actions defined by the array cgroupns_test. This array can easi
Quoting Alban Crequy (alban.cre...@gmail.com):
> From: Alban Crequy
>
> This adds the selftest "cgroupns_test" in order to test the CGroup
> Namespace patchset.
>
> cgroupns_test creates two child processes. They perform a list of
> actions defined by the array cgroupns_test. This array can easi
Quoting Tejun Heo (t...@kernel.org):
> Hello, Serge.
>
> On Wed, Dec 09, 2015 at 01:28:54PM -0600, serge.hal...@ubuntu.com wrote:
> > +/* kernfs_node_depth - compute depth from @from to @to */
> > +static size_t kernfs_depth(struct kernfs_node *from, struct kernfs_node
> > *to)
> ...
> > +char *k
;nsproxy
- optimized setns() to own cgroupns
- simplified code around sane-behavior mount option parsing
4. Restored ACKs from Serge Hallyn from v1 on few patches that have
not changed since then.
Changes from V1:
1. No pinning of processes within cgroupns. Tasks can be freely moved
acro
-tools
(like libcontainer, lxc, lmctfy, etc.) to create completely virtualized
containers without leaking system level cgroup hierarchy to the task.
This patch only implements the 'unshare' part of the cgroupns.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
Changelog:
From: Aditya Kali
CLONE_NEWCGROUP will be used to create new cgroup namespace.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
include/uapi/linux/sched.h |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/include/uapi/linux/sched.h b/include/uapi/linux
From: Serge Hallyn
allowing root in a non-init user namespace to mount it. This should
now be safe, because
1. non-init-root cannot mount a previously unbound subsystem
2. the task doing the mount must be privileged with respect to the
user namespace owning the cgroup namespace
3. the
From: Aditya Kali
Add a new kernfs api is added to lookup the dentry for a particular
kernfs path.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
---
Changelog:
20151116 - Don't allow user namespaces to bind new subsystems
20151118 - postpone the FS_USERNS_MOUNT flag
From: Serge Hallyn
This patch enables cgroup mounting inside userns when a process
as appropriate privileges. The cgroup filesystem mounted is
rooted at the cgroupns-root. Thus, in a container-setup, only
the hierarchy under the cgroupns-root is exposed inside the container.
This allows
From: Aditya Kali
setns on a cgroup namespace is allowed only if
task has CAP_SYS_ADMIN in its current user-namespace and
over the user-namespace associated with target cgroupns.
No implicit cgroup changes happen with attaching to another
cgroupns. It is expected that the somone moves the attachi
From: Aditya Kali
The new function kernfs_path_from_node() generates and returns kernfs
path of a given kernfs_node relative to a given parent kernfs_node.
Signed-off-by: Aditya Kali
Signed-off-by: Serge E. Hallyn
---
Changelog 20151125:
- Fully-wing multilinecomments
- Rework kernfs_path_
From: Aditya Kali
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
Changelog (2015-12-08): Merge into Documentation/cgroup.txt
---
Documentation/cgroup.txt | 144 ++
1 file changed, 144 insertions(+)
diff --git a/Documentation/cgroup.txt
setns() to own cgroupns
- simplified code around sane-behavior mount option parsing
4. Restored ACKs from Serge Hallyn from v1 on few patches that have
not changed since then.
Changes from V1:
1. No pinning of processes within cgroupns. Tasks can be freely moved
across cgroups even outside
.c (and .h)
- reformatting
- make get_cgroup_ns return void
- rename ns->root_cgrps to root_cset.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
fs/proc/namespaces.c|3 +
include/linux/cgroup.h | 51
include/linux/nsproxy.h |2 +
From: Serge Hallyn
allowing root in a non-init user namespace to mount it. This should
now be safe, because
1. non-init-root cannot mount a previously unbound subsystem
2. the task doing the mount must be privileged with respect to the
user namespace owning the cgroup namespace
3. the
From: Aditya Kali
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
Documentation/cgroups/namespace.txt | 142 +++
1 file changed, 142 insertions(+)
create mode 100644 Documentation/cgroups/namespace.txt
diff --git a/Documentation/cgroups
From: Aditya Kali
This patch enables cgroup mounting inside userns when a process
as appropriate privileges. The cgroup filesystem mounted is
rooted at the cgroupns-root. Thus, in a container-setup, only
the hierarchy under the cgroupns-root is exposed inside the container.
This allows container
From: Aditya Kali
CLONE_NEWCGROUP will be used to create new cgroup namespace.
Signed-off-by: Aditya Kali
Acked-by: Serge Hallyn
---
include/uapi/linux/sched.h |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/include/uapi/linux/sched.h b/include/uapi/linux/sched.h
From: Aditya Kali
setns on a cgroup namespace is allowed only if
task has CAP_SYS_ADMIN in its current user-namespace and
over the user-namespace associated with target cgroupns.
No implicit cgroup changes happen with attaching to another
cgroupns. It is expected that the somone moves the attachi
From: Aditya Kali
The new function kernfs_path_from_node() generates and returns kernfs
path of a given kernfs_node relative to a given parent kernfs_node.
Changelog 20151125:
- Fully-wing multilinecomments
- Rework kernfs_path_from_node_locked() logic
- Replace BUG_ONs with returning NULL
Quoting Tejun Heo (t...@kernel.org):
> Hello, Serge.
>
> On Thu, Dec 03, 2015 at 04:47:06PM -0600, Serge E. Hallyn wrote:
> ...
> > + dentry = dget(sb->s_root);
> > + if (!kn->parent) // this is the root
> > + return dentry;
> > +
> > + knparent = find_kn_ancestor_below(kn, NULL);
From: Aditya Kali
CLONE_NEWCGROUP will be used to create new cgroup namespace.
Signed-off-by: Aditya Kali
Acked-by: Serge Hallyn
---
include/uapi/linux/sched.h |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/include/uapi/linux/sched.h b/include/uapi/linux/sched.h
.c (and .h)
- reformatting
- make get_cgroup_ns return void
- rename ns->root_cgrps to root_cset.
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
fs/proc/namespaces.c|3 +
include/linux/cgroup.h | 51
include/linux/nsproxy.h |2 +
From: Aditya Kali
setns on a cgroup namespace is allowed only if
task has CAP_SYS_ADMIN in its current user-namespace and
over the user-namespace associated with target cgroupns.
No implicit cgroup changes happen with attaching to another
cgroupns. It is expected that the somone moves the attachi
From: Aditya Kali
Signed-off-by: Aditya Kali
Signed-off-by: Serge Hallyn
---
Documentation/cgroups/namespace.txt | 142 +++
1 file changed, 142 insertions(+)
create mode 100644 Documentation/cgroups/namespace.txt
diff --git a/Documentation/cgroups
s from last patchset:
- removed use of threadgroup_lock() while creating new cgroupns
- use task_lock() instead of rcu_read_lock() while accessing
task->nsproxy
- optimized setns() to own cgroupns
- simplified code around sane-behavior mount option parsing
4. Restored ACKs from Serg
From: Aditya Kali
This patch enables cgroup mounting inside userns when a process
as appropriate privileges. The cgroup filesystem mounted is
rooted at the cgroupns-root. Thus, in a container-setup, only
the hierarchy under the cgroupns-root is exposed inside the container.
This allows container
From: Aditya Kali
The new function kernfs_path_from_node() generates and returns kernfs
path of a given kernfs_node relative to a given parent kernfs_node.
Changelog 20151125:
- Fully-wing multilinecomments
- Rework kernfs_path_from_node_locked() logic
- Replace BUG_ONs with returning NULL
From: Serge Hallyn
allowing root in a non-init user namespace to mount it. This should
now be safe, because
1. non-init-root cannot mount a previously unbound subsystem
2. the task doing the mount must be privileged with respect to the
user namespace owning the cgroup namespace
3. the
Quoting Tejun Heo (t...@kernel.org):
> Hello, Serge.
>
> On Wed, Nov 25, 2015 at 12:01:56AM -0600, Serge E. Hallyn wrote:
> > that was my goal with
> > https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux-security.git/commit/?h=cgroupns.v4&id=8eb75d2bb24df59e262f050dce567d2332adc5f3
> > (whi
Quoting Theodore Ts'o (ty...@mit.edu):
> On Tue, Nov 17, 2015 at 12:34:44PM -0600, Seth Forshee wrote:
> > On Tue, Nov 17, 2015 at 05:55:06PM +, Al Viro wrote:
> > > On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote:
> > >
> > > > Shortly after that I plan to follow with support for
Quoting Dirk Steinmetz (pub...@rsjtdrjgfuzkfg.com):
> In order to hardlink to a sgid-executable, it is sufficient to be the
> file's owner. When hardlinking within an unprivileged user namespace, the
> users of that namespace could thus use hardlinks to pin setgid binaries
> owned by themselves (or
Quoting Dirk Steinmetz (pub...@rsjtdrjgfuzkfg.com):
> On Wed, 28 Oct 2015 17:33:10 +0000, Serge Hallyn wrote:
> > Quoting Dirk Steinmetz (pub...@rsjtdrjgfuzkfg.com):
> > > On Tue, 27 Oct 2015 20:28:02 +, Serge Hallyn wrote:
> > > > Quoting Dirk Steinm
Quoting Dirk Steinmetz (pub...@rsjtdrjgfuzkfg.com):
> On Tue, 27 Oct 2015 20:28:02 +0000, Serge Hallyn wrote:
> > Quoting Dirk Steinmetz (pub...@rsjtdrjgfuzkfg.com):
> > > On Tue, 27 Oct 2015 09:33:44 -0500, Seth Forshee wrote:
> > > > I did want to point what seems
Quoting Dirk Steinmetz (pub...@rsjtdrjgfuzkfg.com):
> On Tue, 27 Oct 2015 09:33:44 -0500, Seth Forshee wrote:
> > On Tue, Oct 20, 2015 at 04:09:19PM +0200, Dirk Steinmetz wrote:
> > > Attempting to hardlink to an unsafe file (e.g. a setuid binary) from
> > > within an unprivileged user namespace fa
Quoting Stéphane Graber (stgra...@ubuntu.com):
> On Tue, Sep 15, 2015 at 06:01:38PM +0300, Konstantin Khlebnikov wrote:
> > On 15.09.2015 17:27, Eric W. Biederman wrote:
> > >Konstantin Khlebnikov writes:
> > >
> > >>pid_t getvpid(pid_t pid, pid_t source, pid_t target);
> > >>
> > >>This syscall c
Quoting Amir Goldstein (a...@cellrox.com):
> On Tue, Jul 28, 2015 at 11:40 PM, Seth Forshee
> wrote:
> >
> > On Wed, Jul 22, 2015 at 05:05:17PM -0700, Casey Schaufler wrote:
> > > > This is what I currently think you want for user ns mounts:
> > > >
> > > > 1. smk_root and smk_default are assigne
Quoting Andy Lutomirski (l...@amacapital.net):
> On Wed, Jun 10, 2015 at 9:31 AM, Oleg Nesterov wrote:
> > On 06/09, Andy Lutomirski wrote:
> >>
> >> On Tue, Jun 9, 2015 at 5:49 PM, Tycho Andersen
> >> >
> >> > @@ -556,6 +556,15 @@ static int ptrace_setoptions(struct task_struct
> >> > *child, un
Thanks very much, Andy. Comments and ack below.
Quoting Andy Lutomirski (l...@kernel.org):
> Credit where credit is due: this idea comes from Christoph Lameter
> with a lot of valuable input from Serge Hallyn. This patch is
> heavily based on Christoph's patch.
>
>
Quoting Andy Lutomirski (l...@amacapital.net):
> On Apr 24, 2015 2:15 PM, "Serge E. Hallyn" wrote:
> >
> > On Fri, Apr 24, 2015 at 01:18:44PM -0700, Andy Lutomirski wrote:
> > > On Fri, Apr 24, 2015 at 1:13 PM, Christoph Lameter wrote:
> > > > On Fri, 24 Apr 2015, Andy Lutomirski wrote:
> > > >
>
Quoting Andy Lutomirski (l...@amacapital.net):
> On Fri, Apr 24, 2015 at 10:53 AM, Serge Hallyn
> wrote:
> > Quoting Christoph Lameter (c...@linux.com):
> >> On Thu, 9 Apr 2015, Christoph Lameter wrote:
> >>
> >> > > I'll submit a new
Quoting Christoph Lameter (c...@linux.com):
> On Thu, 9 Apr 2015, Christoph Lameter wrote:
>
> > > I'll submit a new version this week with the securebits. Sorry for the
> > > delay.
> > Are we going to get a new version?
>
> Replying to my own here. Cant we simply use the SETPCAP approach as
Quoting Andy Lutomirski (l...@amacapital.net):
> On Thu, Apr 2, 2015 at 7:29 AM, Alexander Larsson wrote:
> > On Thu, 2015-04-02 at 07:06 -0700, Andy Lutomirski wrote:
> >> On Thu, Apr 2, 2015 at 3:12 AM, James Bottomley
> >> wrote:
> >> > On Tue, 2015-03-31 at 16:17 +0200, Alexander Larsson wrot
Quoting Christoph Lameter (c...@linux.com):
> On Tue, 24 Feb 2015, Serge Hallyn wrote:
>
> > Unless I'm misunderstanding what you are saying, apps do have surprises.
> > They drop capabilities, execute a file, and the result has capabilities
> > which the app couldn&
Quoting Christoph Lameter (c...@linux.com):
> On Tue, 24 Feb 2015, Serge E. Hallyn wrote:
>
> > The other way to look at it then is that it's basically as though the
> > privileged task (which has CAP_SETFCAP) could've just added fI=full to
> > all binaries on the filesystem; instead it's using t
Quoting Christoph Lameter (c...@linux.com):
> On Mon, 23 Feb 2015, Serge E. Hallyn wrote:
>
> > > I do not see a problem with dropping privilege since the ambient set
> > > is supposed to be preserved across a drop of priviledge.
> >
> > Because you're tricking the program into thinking it has dro
Quoting Christoph Lameter (c...@linux.com):
> Ok 4.0-rc1 is out and this patch has been sitting here for a couple of
> weeks without comment after an intensive discussion about the RFCs.
>
> Since there were no objections: Is there any chance to get this into -next
> somehow?
Andrew Morgan and An
Hi,
as of some point in 3.18, cpuset.cpus doesn't seem to be
enforced any more. I don't see an obvious reason in the
code, but it seems likely to be related to the effective_cpus.
If I mount -t cgroup -o cpuset cpuset /mnt and then mkdir /mnt/lxc,
then /mnt/lxc has:
Quoting Andy Lutomirski (l...@amacapital.net):
> On Mon, Feb 2, 2015 at 9:12 AM, Serge Hallyn wrote:
> > A key concept behind posix capabilities is that the privilege comes from
> > both the person and the file being executed. As you say below basically
> > anything c
Quoting Casey Schaufler (ca...@schaufler-ca.com):
> I'm game to participate in such an effort. The POSIX scheme
> is workable, but given that it's 20 years old and hasn't
> developed real traction it's hard to call it successful.
Over the years we've several times discussed possible reasons for th
1 - 100 of 314 matches
Mail list logo
