Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Amir Goldstein (amir7...@gmail.com): > On Wed, Jun 28, 2017 at 8:41 AM, Serge E. Hallyn wrote: > > Hi Amir, > > > > I was liking the prefix at first, but I'm actually not sure it's worth > > it. THe main advantage would be so that checking for namespace or other > >

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Amir Goldstein (amir7...@gmail.com): > On Wed, Jun 28, 2017 at 8:41 AM, Serge E. Hallyn wrote: > > Hi Amir, > > > > I was liking the prefix at first, but I'm actually not sure it's worth > > it. THe main advantage would be so that checking for namespace or other > > tags could be done

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/28/2017 03:18 AM, Amir Goldstein wrote: On Wed, Jun 28, 2017 at 8:41 AM, Serge E. Hallyn wrote: On Fri, Jun 23, 2017 at 10:01:46AM +0300, Amir Goldstein wrote: On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger wrote: This series of patches

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/28/2017 03:18 AM, Amir Goldstein wrote: On Wed, Jun 28, 2017 at 8:41 AM, Serge E. Hallyn wrote: On Fri, Jun 23, 2017 at 10:01:46AM +0300, Amir Goldstein wrote: On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger wrote: This series of patches primary goal is to enable file capabilities in

Re: [PATCH 0/3] Enable namespaced file capabilities

On Wed, Jun 28, 2017 at 8:41 AM, Serge E. Hallyn wrote: > On Fri, Jun 23, 2017 at 10:01:46AM +0300, Amir Goldstein wrote: >> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger >> wrote: >> > This series of patches primary goal is to enable file

Re: [PATCH 0/3] Enable namespaced file capabilities

On Wed, Jun 28, 2017 at 8:41 AM, Serge E. Hallyn wrote: > On Fri, Jun 23, 2017 at 10:01:46AM +0300, Amir Goldstein wrote: >> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger >> wrote: >> > This series of patches primary goal is to enable file capabilities >> > in user namespaces without affecting

Re: [PATCH 0/3] Enable namespaced file capabilities

On Fri, Jun 23, 2017 at 10:01:46AM +0300, Amir Goldstein wrote: > On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger > wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are > >

Re: [PATCH 0/3] Enable namespaced file capabilities

On Fri, Jun 23, 2017 at 10:01:46AM +0300, Amir Goldstein wrote: > On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger > wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are > > effective on the host. This

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/23/2017 4:09 PM, Stefan Berger wrote: > On 06/23/2017 02:35 PM, Serge E. Hallyn wrote: >> Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >>> On 06/23/2017 12:16 PM, Casey Schaufler wrote: On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: > Quoting Amir Goldstein (amir7...@gmail.com):

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/23/2017 4:09 PM, Stefan Berger wrote: > On 06/23/2017 02:35 PM, Serge E. Hallyn wrote: >> Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >>> On 06/23/2017 12:16 PM, Casey Schaufler wrote: On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: > Quoting Amir Goldstein (amir7...@gmail.com):

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/23/2017 02:35 PM, Serge E. Hallyn wrote: Quoting Stefan Berger (stef...@linux.vnet.ibm.com): On 06/23/2017 12:16 PM, Casey Schaufler wrote: On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: Quoting Amir Goldstein (amir7...@gmail.com): On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/23/2017 02:35 PM, Serge E. Hallyn wrote: Quoting Stefan Berger (stef...@linux.vnet.ibm.com): On 06/23/2017 12:16 PM, Casey Schaufler wrote: On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: Quoting Amir Goldstein (amir7...@gmail.com): On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger wrote:

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Vivek Goyal (vgo...@redhat.com): > On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote: > > Quoting Vivek Goyal (vgo...@redhat.com): > > > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > > > > This series of patches primary goal is to enable file capabilities >

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Vivek Goyal (vgo...@redhat.com): > On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote: > > Quoting Vivek Goyal (vgo...@redhat.com): > > > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > > > > This series of patches primary goal is to enable file capabilities >

Re: [PATCH 0/3] Enable namespaced file capabilities

On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote: > Quoting Vivek Goyal (vgo...@redhat.com): > > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > > > This series of patches primary goal is to enable file capabilities > > > in user namespaces without affecting the

Re: [PATCH 0/3] Enable namespaced file capabilities

On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote: > Quoting Vivek Goyal (vgo...@redhat.com): > > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > > > This series of patches primary goal is to enable file capabilities > > > in user namespaces without affecting the

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/23/2017 11:35 AM, Serge E. Hallyn wrote: > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> On 06/23/2017 12:16 PM, Casey Schaufler wrote: >>> On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: Quoting Amir Goldstein (amir7...@gmail.com): > On Thu, Jun 22, 2017 at 9:59 PM, Stefan

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/23/2017 11:35 AM, Serge E. Hallyn wrote: > Quoting Stefan Berger (stef...@linux.vnet.ibm.com): >> On 06/23/2017 12:16 PM, Casey Schaufler wrote: >>> On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: Quoting Amir Goldstein (amir7...@gmail.com): > On Thu, Jun 22, 2017 at 9:59 PM, Stefan

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Vivek Goyal (vgo...@redhat.com): > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are > > effective on the host. This is to prevent

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Vivek Goyal (vgo...@redhat.com): > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are > > effective on the host. This is to prevent

Re: [PATCH 0/3] Enable namespaced file capabilities

On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > This series of patches primary goal is to enable file capabilities > in user namespaces without affecting the file capabilities that are > effective on the host. This is to prevent that any unprivileged user > on the host maps his

Re: [PATCH 0/3] Enable namespaced file capabilities

On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote: > This series of patches primary goal is to enable file capabilities > in user namespaces without affecting the file capabilities that are > effective on the host. This is to prevent that any unprivileged user > on the host maps his

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Eric W. Biederman (ebied...@xmission.com): > Even with one xattr of any type there is something appealing about > putting the logic that limits that xattr to a namespace in the name. As Exactly. That's the idea - from Stefan - that I thought was a worthwhile improvement over my own

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Eric W. Biederman (ebied...@xmission.com): > Even with one xattr of any type there is something appealing about > putting the logic that limits that xattr to a namespace in the name. As Exactly. That's the idea - from Stefan - that I thought was a worthwhile improvement over my own

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 06/23/2017 12:16 PM, Casey Schaufler wrote: > >On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: > >>Quoting Amir Goldstein (amir7...@gmail.com): > >>>On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger > >>> wrote: >

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 06/23/2017 12:16 PM, Casey Schaufler wrote: > >On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: > >>Quoting Amir Goldstein (amir7...@gmail.com): > >>>On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger > >>> wrote: > This series of patches

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 06/23/2017 01:07 PM, James Bottomley wrote: > >On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote: > >>Quoting Casey Schaufler (ca...@schaufler-ca.com): > >>>Or maybe just security.ns.capability, taking James' comment into >

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Stefan Berger (stef...@linux.vnet.ibm.com): > On 06/23/2017 01:07 PM, James Bottomley wrote: > >On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote: > >>Quoting Casey Schaufler (ca...@schaufler-ca.com): > >>>Or maybe just security.ns.capability, taking James' comment into >

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Eric W. Biederman (ebied...@xmission.com): > "Serge E. Hallyn" writes: > > > Quoting Casey Schaufler (ca...@schaufler-ca.com): > >> On 6/23/2017 9:30 AM, Serge E. Hallyn wrote: > >> > Quoting Casey Schaufler (ca...@schaufler-ca.com): > >> >> Or maybe just

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Eric W. Biederman (ebied...@xmission.com): > "Serge E. Hallyn" writes: > > > Quoting Casey Schaufler (ca...@schaufler-ca.com): > >> On 6/23/2017 9:30 AM, Serge E. Hallyn wrote: > >> > Quoting Casey Schaufler (ca...@schaufler-ca.com): > >> >> Or maybe just security.ns.capability, taking

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/23/2017 12:16 PM, Casey Schaufler wrote: On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: Quoting Amir Goldstein (amir7...@gmail.com): On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger wrote: This series of patches primary goal is to enable file capabilities in

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/23/2017 12:16 PM, Casey Schaufler wrote: On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: Quoting Amir Goldstein (amir7...@gmail.com): On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger wrote: This series of patches primary goal is to enable file capabilities in user namespaces without

Re: [PATCH 0/3] Enable namespaced file capabilities

"Serge E. Hallyn" writes: > Quoting Casey Schaufler (ca...@schaufler-ca.com): >> On 6/23/2017 9:30 AM, Serge E. Hallyn wrote: >> > Quoting Casey Schaufler (ca...@schaufler-ca.com): >> >> Or maybe just security.ns.capability, taking James' comment into account. >> > That last

Re: [PATCH 0/3] Enable namespaced file capabilities

"Serge E. Hallyn" writes: > Quoting Casey Schaufler (ca...@schaufler-ca.com): >> On 6/23/2017 9:30 AM, Serge E. Hallyn wrote: >> > Quoting Casey Schaufler (ca...@schaufler-ca.com): >> >> Or maybe just security.ns.capability, taking James' comment into account. >> > That last one may be suitable

Re: [PATCH 0/3] Enable namespaced file capabilities

James Bottomley writes: > On Thu, 2017-06-22 at 18:36 -0500, Serge E. Hallyn wrote: >> Quoting James Bottomley (james.bottom...@hansenpartnership.com): >> > On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: >> > > This series of patches primary goal

Re: [PATCH 0/3] Enable namespaced file capabilities

James Bottomley writes: > On Thu, 2017-06-22 at 18:36 -0500, Serge E. Hallyn wrote: >> Quoting James Bottomley (james.bottom...@hansenpartnership.com): >> > On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: >> > > This series of patches primary goal is to enable file >> > > capabilities

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/23/2017 01:07 PM, James Bottomley wrote: On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote: Quoting Casey Schaufler (ca...@schaufler-ca.com): Or maybe just security.ns.capability, taking James' comment into account. That last one may be suitable as an option, useful for his

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/23/2017 01:07 PM, James Bottomley wrote: On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote: Quoting Casey Schaufler (ca...@schaufler-ca.com): Or maybe just security.ns.capability, taking James' comment into account. That last one may be suitable as an option, useful for his

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting James Bottomley (james.bottom...@hansenpartnership.com): > On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote: > > Quoting Casey Schaufler (ca...@schaufler-ca.com): > > > Or maybe just security.ns.capability, taking James' comment into > > > account. > > > > That last one may be

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting James Bottomley (james.bottom...@hansenpartnership.com): > On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote: > > Quoting Casey Schaufler (ca...@schaufler-ca.com): > > > Or maybe just security.ns.capability, taking James' comment into > > > account. > > > > That last one may be

Re: [PATCH 0/3] Enable namespaced file capabilities

On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote: > Quoting Casey Schaufler (ca...@schaufler-ca.com): > > Or maybe just security.ns.capability, taking James' comment into > > account. > > That last one may be suitable as an option, useful for his particular > (somewhat barbaric :) use

Re: [PATCH 0/3] Enable namespaced file capabilities

On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote: > Quoting Casey Schaufler (ca...@schaufler-ca.com): > > Or maybe just security.ns.capability, taking James' comment into > > account. > > That last one may be suitable as an option, useful for his particular > (somewhat barbaric :) use

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Casey Schaufler (ca...@schaufler-ca.com): > On 6/23/2017 9:30 AM, Serge E. Hallyn wrote: > > Quoting Casey Schaufler (ca...@schaufler-ca.com): > >> Or maybe just security.ns.capability, taking James' comment into account. > > That last one may be suitable as an option, useful for his

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Casey Schaufler (ca...@schaufler-ca.com): > On 6/23/2017 9:30 AM, Serge E. Hallyn wrote: > > Quoting Casey Schaufler (ca...@schaufler-ca.com): > >> Or maybe just security.ns.capability, taking James' comment into account. > > That last one may be suitable as an option, useful for his

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/23/2017 9:30 AM, Serge E. Hallyn wrote: > Quoting Casey Schaufler (ca...@schaufler-ca.com): >> On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: >>> Quoting Amir Goldstein (amir7...@gmail.com): On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger wrote: > This

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/23/2017 9:30 AM, Serge E. Hallyn wrote: > Quoting Casey Schaufler (ca...@schaufler-ca.com): >> On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: >>> Quoting Amir Goldstein (amir7...@gmail.com): On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger wrote: > This series of patches primary

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Casey Schaufler (ca...@schaufler-ca.com): > On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: > > Quoting Amir Goldstein (amir7...@gmail.com): > >> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger > >> wrote: > >>> This series of patches primary goal is to enable file

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Casey Schaufler (ca...@schaufler-ca.com): > On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: > > Quoting Amir Goldstein (amir7...@gmail.com): > >> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger > >> wrote: > >>> This series of patches primary goal is to enable file capabilities > >>> in user

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: > Quoting Amir Goldstein (amir7...@gmail.com): >> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger >> wrote: >>> This series of patches primary goal is to enable file capabilities >>> in user namespaces without affecting the

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/23/2017 9:00 AM, Serge E. Hallyn wrote: > Quoting Amir Goldstein (amir7...@gmail.com): >> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger >> wrote: >>> This series of patches primary goal is to enable file capabilities >>> in user namespaces without affecting the file capabilities that are

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Amir Goldstein (amir7...@gmail.com): > On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger > wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are > > effective on the

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Amir Goldstein (amir7...@gmail.com): > On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger > wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are > > effective on the host. This is to prevent that

Re: [PATCH 0/3] Enable namespaced file capabilities

On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger wrote: > This series of patches primary goal is to enable file capabilities > in user namespaces without affecting the file capabilities that are > effective on the host. This is to prevent that any unprivileged user > on

Re: [PATCH 0/3] Enable namespaced file capabilities

On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger wrote: > This series of patches primary goal is to enable file capabilities > in user namespaces without affecting the file capabilities that are > effective on the host. This is to prevent that any unprivileged user > on the host maps his own uid to

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting James Bottomley (james.bottom...@hansenpartnership.com): > On Thu, 2017-06-22 at 18:36 -0500, Serge E. Hallyn wrote: > > Yes, the use case is: to allow root in the container to set the > > privilege itself, without endangering any resources not owned by > > that root. > > OK, so you

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting James Bottomley (james.bottom...@hansenpartnership.com): > On Thu, 2017-06-22 at 18:36 -0500, Serge E. Hallyn wrote: > > Yes, the use case is: to allow root in the container to set the > > privilege itself, without endangering any resources not owned by > > that root. > > OK, so you

Re: [PATCH 0/3] Enable namespaced file capabilities

On Thu, 2017-06-22 at 18:36 -0500, Serge E. Hallyn wrote: > Quoting James Bottomley (james.bottom...@hansenpartnership.com): > > On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: > > > This series of patches primary goal is to enable file > > > capabilities in user namespaces without

Re: [PATCH 0/3] Enable namespaced file capabilities

On Thu, 2017-06-22 at 18:36 -0500, Serge E. Hallyn wrote: > Quoting James Bottomley (james.bottom...@hansenpartnership.com): > > On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: > > > This series of patches primary goal is to enable file > > > capabilities in user namespaces without

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting James Bottomley (james.bottom...@hansenpartnership.com): > On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are > > effective on the host. This

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting James Bottomley (james.bottom...@hansenpartnership.com): > On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are > > effective on the host. This

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting James Bottomley (james.bottom...@hansenpartnership.com): > On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are > > effective on the host. This

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting James Bottomley (james.bottom...@hansenpartnership.com): > On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: > > This series of patches primary goal is to enable file capabilities > > in user namespaces without affecting the file capabilities that are > > effective on the host. This

Re: [PATCH 0/3] Enable namespaced file capabilities

On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: > This series of patches primary goal is to enable file capabilities > in user namespaces without affecting the file capabilities that are > effective on the host. This is to prevent that any unprivileged user > on the host maps his own uid

Re: [PATCH 0/3] Enable namespaced file capabilities

On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote: > This series of patches primary goal is to enable file capabilities > in user namespaces without affecting the file capabilities that are > effective on the host. This is to prevent that any unprivileged user > on the host maps his own uid

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Casey Schaufler (ca...@schaufler-ca.com): > On 6/22/2017 2:09 PM, Serge E. Hallyn wrote: > > Quoting Casey Schaufler (ca...@schaufler-ca.com): > >> On 6/22/2017 1:12 PM, Stefan Berger wrote: > >>> On 06/22/2017 03:59 PM, Casey Schaufler wrote: > On 6/22/2017 11:59 AM, Stefan Berger

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Casey Schaufler (ca...@schaufler-ca.com): > On 6/22/2017 2:09 PM, Serge E. Hallyn wrote: > > Quoting Casey Schaufler (ca...@schaufler-ca.com): > >> On 6/22/2017 1:12 PM, Stefan Berger wrote: > >>> On 06/22/2017 03:59 PM, Casey Schaufler wrote: > On 6/22/2017 11:59 AM, Stefan Berger

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/22/2017 2:09 PM, Serge E. Hallyn wrote: > Quoting Casey Schaufler (ca...@schaufler-ca.com): >> On 6/22/2017 1:12 PM, Stefan Berger wrote: >>> On 06/22/2017 03:59 PM, Casey Schaufler wrote: On 6/22/2017 11:59 AM, Stefan Berger wrote: > This series of patches primary goal is to enable

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/22/2017 2:09 PM, Serge E. Hallyn wrote: > Quoting Casey Schaufler (ca...@schaufler-ca.com): >> On 6/22/2017 1:12 PM, Stefan Berger wrote: >>> On 06/22/2017 03:59 PM, Casey Schaufler wrote: On 6/22/2017 11:59 AM, Stefan Berger wrote: > This series of patches primary goal is to enable

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Casey Schaufler (ca...@schaufler-ca.com): > On 6/22/2017 1:12 PM, Stefan Berger wrote: > > On 06/22/2017 03:59 PM, Casey Schaufler wrote: > >> On 6/22/2017 11:59 AM, Stefan Berger wrote: > >>> This series of patches primary goal is to enable file capabilities > >>> in user namespaces

Re: [PATCH 0/3] Enable namespaced file capabilities

Quoting Casey Schaufler (ca...@schaufler-ca.com): > On 6/22/2017 1:12 PM, Stefan Berger wrote: > > On 06/22/2017 03:59 PM, Casey Schaufler wrote: > >> On 6/22/2017 11:59 AM, Stefan Berger wrote: > >>> This series of patches primary goal is to enable file capabilities > >>> in user namespaces

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/22/2017 04:33 PM, Casey Schaufler wrote: On 6/22/2017 1:12 PM, Stefan Berger wrote: On 06/22/2017 03:59 PM, Casey Schaufler wrote: On 6/22/2017 11:59 AM, Stefan Berger wrote: This series of patches primary goal is to enable file capabilities in user namespaces without affecting the file

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/22/2017 04:33 PM, Casey Schaufler wrote: On 6/22/2017 1:12 PM, Stefan Berger wrote: On 06/22/2017 03:59 PM, Casey Schaufler wrote: On 6/22/2017 11:59 AM, Stefan Berger wrote: This series of patches primary goal is to enable file capabilities in user namespaces without affecting the file

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/22/2017 1:12 PM, Stefan Berger wrote: > On 06/22/2017 03:59 PM, Casey Schaufler wrote: >> On 6/22/2017 11:59 AM, Stefan Berger wrote: >>> This series of patches primary goal is to enable file capabilities >>> in user namespaces without affecting the file capabilities that are >>> effective on

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/22/2017 1:12 PM, Stefan Berger wrote: > On 06/22/2017 03:59 PM, Casey Schaufler wrote: >> On 6/22/2017 11:59 AM, Stefan Berger wrote: >>> This series of patches primary goal is to enable file capabilities >>> in user namespaces without affecting the file capabilities that are >>> effective on

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/22/2017 03:59 PM, Casey Schaufler wrote: On 6/22/2017 11:59 AM, Stefan Berger wrote: This series of patches primary goal is to enable file capabilities in user namespaces without affecting the file capabilities that are effective on the host. This is to prevent that any unprivileged user

Re: [PATCH 0/3] Enable namespaced file capabilities

On 06/22/2017 03:59 PM, Casey Schaufler wrote: On 6/22/2017 11:59 AM, Stefan Berger wrote: This series of patches primary goal is to enable file capabilities in user namespaces without affecting the file capabilities that are effective on the host. This is to prevent that any unprivileged user

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/22/2017 11:59 AM, Stefan Berger wrote: > This series of patches primary goal is to enable file capabilities > in user namespaces without affecting the file capabilities that are > effective on the host. This is to prevent that any unprivileged user > on the host maps his own uid to root in a

Re: [PATCH 0/3] Enable namespaced file capabilities

On 6/22/2017 11:59 AM, Stefan Berger wrote: > This series of patches primary goal is to enable file capabilities > in user namespaces without affecting the file capabilities that are > effective on the host. This is to prevent that any unprivileged user > on the host maps his own uid to root in a

[PATCH 0/3] Enable namespaced file capabilities

This series of patches primary goal is to enable file capabilities in user namespaces without affecting the file capabilities that are effective on the host. This is to prevent that any unprivileged user on the host maps his own uid to root in a private namespace, writes the xattr, and executes

[PATCH 0/3] Enable namespaced file capabilities

This series of patches primary goal is to enable file capabilities in user namespaces without affecting the file capabilities that are effective on the host. This is to prevent that any unprivileged user on the host maps his own uid to root in a private namespace, writes the xattr, and executes