On Thu, Aug 21, 2008 at 07:06:37PM -0400, Jan Engelhardt wrote:
On Thursday 2008-08-21 18:04, [EMAIL PROTECTED] wrote:
Make untracked conntrack per-netns.
Why? It does not store any useful information per se, it is
merely used to add a third type of ct, iow:
(a) ct==NULL
(b) ct!=NULL
On Fri, 2008-08-22 at 13:57 +0200, Eelco Chaudron wrote:
I was looking at the 2.6.26 nw namespace code, and noticed that the
SNMP counters are still system wide. Looking at the status page there
is not separate item on SNMP. Was this overlooked, skipped on purpose,
or is it in the pipeline?
Dave Hansen wrote:
On Fri, 2008-08-22 at 13:57 +0200, Eelco Chaudron wrote:
I was looking at the 2.6.26 nw namespace code, and noticed that the
SNMP counters are still system wide. Looking at the status page there
is not separate item on SNMP. Was this overlooked, skipped on purpose,
or is it
On Thu, Aug 21, 2008 at 02:25:06PM +0900, Fernando Luis Vázquez Cao wrote:
Hi Balbir,
On Thu, 2008-08-21 at 09:02 +0530, Balbir Singh wrote:
Fernando Luis Vázquez Cao wrote:
On Wed, 2008-08-20 at 20:48 +0900, Hirokazu Takahashi wrote:
Hi,
Tsuruta-san, how about your bio-cgroup's
Hi Eric,
so here is a start to a userns patchset trying to follow your ideas
about how to have user namespaces and filesystems interact. Ignore
the bookkeeping crap or you'll pull your hair out. Lots of stuff
remains unimplemented - i.e. chown (setattr) and proper handling of
capabilities. But
Currently, creating a new user namespace does not reset
the task's uid or gid. Since generally that is done as
root because it requires CAP_SYS_ADMIN, and since the
first uid in the new namespace is 0, one usually doesn't
notice. However, if one does
capset cap_sys_admin=ep ns_exec
When a task does clone(CLONE_NEWNS), the task's user is the 'creator' of the
new user_namespace, and the user_namespace is tacked onto a list of those
created by this user.
Changelog:
Aug 1: renamed user-user_namespace to user_ns, as the next
patch did anyway.
Aug
Allow registering new user namespaces using mount(MS_ADD_USERNS).
Define lib/fsuserns.c which will contain functions which filesystems
can hook into to support user namespaces.
Since fsuserns.c currently supports neither reading policy nor
storing userns info using xattrs, the support is really
Add a user_ns to the sb. It is always set to the user_ns of the task which
mounted the sb.
Define 3 new super_operations. convert_uid() and convert_gid() take a uid
or gid from an inode on the sb's fs, and attempt to convert them into ids
meaningful in the user namespace passed in, which
When we get the sysfs support needed to support fair user scheduling
along with user namespaces, then we will need to be able to get the
user namespace from the user struct.
So we need the user_ns to be a part of struct user. Once we can
access it from tsk-user, we no longer have a use for
Now ls works correctly inside a userns!
(but don't go doing some sort of setattr like 'chown' :)
Signed-off-by: Serge Hallyn [EMAIL PROTECTED]
---
fs/ext3/file.c |4
fs/ext3/inode.c | 22 ++
fs/ext3/namei.c |3 +++
fs/ext3/xattr.c |6 ++
Hook fs/attr.c so things like chown are properly handled. Note this is only
for permission checks. We'll need to hook ext3_setattr to get the right
uids updated.
Signed-off-by: Serge Hallyn [EMAIL PROTECTED]
---
fs/attr.c | 28 +++-
include/linux/sched.h |
userns: have ext3 use fsuserns to read userns xattrs, and add groups to userns
Signed-off-by: Serge Hallyn [EMAIL PROTECTED]
---
fs/ext3/super.c| 11 +--
fs/ext3/xattr.c| 19 ++-
fs/ext3/xattr.h|3 ++-
include/linux/fs.h |2 +-
lib/fsuserns.c |
Let uid 0 in a child namespace whose creator owns a file,
access that file.
This of course means that user hallyn (if he is allowed to
remount / for his userns, i.e. through
capset cap_sys_admin=ep usernsremount
can create files owned by root.
So this is only so we can play. This code
userns: store child userns uids as xattrs in ext3 using lib/fsuserns
Signed-off-by: Serge Hallyn [EMAIL PROTECTED]
---
fs/ext3/namei.c|7 +++-
fs/ext3/xattr.c| 29 +++
fs/ext3/xattr.h|2 +
include/linux/user_namespace.h |1
On Fri, 2008-08-22 at 12:32 -0700, Dave Hansen wrote:
On Wed, 2008-08-20 at 23:03 -0400, Oren Laadan wrote:
6/unistd_32.h
index d739467..88bdec4 100644
--- a/include/asm-x86/unistd_32.h
+++ b/include/asm-x86/unistd_32.h
@@ -338,6 +338,8 @@
#define __NR_dup3 330
Serge E. Hallyn [EMAIL PROTECTED] writes:
Add a user_ns to the sb. It is always set to the user_ns of the task which
mounted the sb.
Define 3 new super_operations. convert_uid() and convert_gid() take a uid
or gid from an inode on the sb's fs, and attempt to convert them into ids
Serge E. Hallyn [EMAIL PROTECTED] writes:
Hi Eric,
so here is a start to a userns patchset trying to follow your ideas
about how to have user namespaces and filesystems interact. Ignore
the bookkeeping crap or you'll pull your hair out. Lots of stuff
remains unimplemented - i.e. chown
Dave Hansen wrote:
On Wed, 2008-08-20 at 23:03 -0400, Oren Laadan wrote:
6/unistd_32.h
index d739467..88bdec4 100644
--- a/include/asm-x86/unistd_32.h
+++ b/include/asm-x86/unistd_32.h
@@ -338,6 +338,8 @@
#define __NR_dup3 330
#define __NR_pipe2331
#define
Serge E. Hallyn [EMAIL PROTECTED] writes:
Add a user_ns to the sb. It is always set to the user_ns of the task which
mounted the sb.
Define 3 new super_operations. convert_uid() and convert_gid() take a uid
or gid from an inode on the sb's fs, and attempt to convert them into ids
Thanks Louis for all the comments. Will fix in v3.
Oren.
Louis Rilling wrote:
On Wed, Aug 20, 2008 at 11:05:15PM -0400, Oren Laadan wrote:
For each VMA, there is a 'struct cr_vma'; if the VMA is file-mapped,
it will be followed by the file name. The cr_vma-npages will tell
how many pages
Quoting Eric W. Biederman ([EMAIL PROTECTED]):
Serge E. Hallyn [EMAIL PROTECTED] writes:
Add a user_ns to the sb. It is always set to the user_ns of the task which
mounted the sb.
Define 3 new super_operations. convert_uid() and convert_gid() take a uid
or gid from an inode on the
Quoting Eric W. Biederman ([EMAIL PROTECTED]):
Serge E. Hallyn [EMAIL PROTECTED] writes:
Add a user_ns to the sb. It is always set to the user_ns of the task which
mounted the sb.
Define 3 new super_operations. convert_uid() and convert_gid() take a uid
or gid from an inode on the
Quoting Eric W. Biederman ([EMAIL PROTECTED]):
Serge E. Hallyn [EMAIL PROTECTED] writes:
Hi Eric,
so here is a start to a userns patchset trying to follow your ideas
about how to have user namespaces and filesystems interact. Ignore
the bookkeeping crap or you'll pull your hair out.
Serge E. Hallyn [EMAIL PROTECTED] writes:
By itself that is not sufficient. We need to support two inodes on the
same fs where both have i_uid=500 on the host fs, while in user
namespace X one is owned by uid 0, and another by uid 1000.
So we need to be able to pass the filesystem an inode
Quoting Eric W. Biederman ([EMAIL PROTECTED]):
Serge E. Hallyn [EMAIL PROTECTED] writes:
By itself that is not sufficient. We need to support two inodes on the
same fs where both have i_uid=500 on the host fs, while in user
namespace X one is owned by uid 0, and another by uid 1000.
Serge E. Hallyn [EMAIL PROTECTED] writes:
That might make sense. I guess the problem is I started trying to
handle generic permission. But I don't need to... the fs can
provide its own permission, else we do the simple userns check.
Sounds right.
We really need that simple starting place
Serge E. Hallyn [EMAIL PROTECTED] writes:
It definately seems to make sense in terms of the security
implications. And solving this before the filesystem handlers seems
to make sense too. Although I would like to get the first 3 patches upstream
pretty soon, as I believe they are proper
Serge E. Hallyn [EMAIL PROTECTED] writes:
There are two questions.
Does this filesystem provide mappings to user namespace X?
What is the mapping from this filesystem to user namespace X?
That is where you and I still disagree: I don't believe that a mapping
as such makes sense.
A
29 matches
Mail list logo
