On Thu, Nov 19, 2015 at 03:49:00PM +0100, Richard Weinberger wrote:
> Am 19.11.2015 um 15:37 schrieb Colin Walters:
> > On Thu, Nov 19, 2015, at 02:53 AM, Richard Weinberger wrote:
> >
> >> Erm, I don't want this in the kernel. That's why I've proposed the lklfuse
> >> approach.
> >
> > I
Am 19.11.2015 um 15:37 schrieb Colin Walters:
> On Thu, Nov 19, 2015, at 02:53 AM, Richard Weinberger wrote:
>
>> Erm, I don't want this in the kernel. That's why I've proposed the lklfuse
>> approach.
>
> I already said this before but just to repeat, since I'm confused:
>
> How would
On Thu, Nov 19, 2015, at 02:53 AM, Richard Weinberger wrote:
> Erm, I don't want this in the kernel. That's why I've proposed the lklfuse
> approach.
I already said this before but just to repeat, since I'm confused:
How would "lklfuse" be different from http://libguestfs.org/
which we at Red
On 11/18/2015 04:58 PM, Al Viro wrote:
> On Wed, Nov 18, 2015 at 08:22:38AM -0600, Seth Forshee wrote:
>
>> But it still requires the admin set it up that way, no? And aren't
>> privileges required to set up those devices in the first place?
>>
>> I'm not saying that it wouldn't be a good idea
On Wed, Nov 18, 2015 at 02:58:18PM +, Al Viro wrote:
> On Wed, Nov 18, 2015 at 08:22:38AM -0600, Seth Forshee wrote:
>
> > But it still requires the admin set it up that way, no? And aren't
> > privileges required to set up those devices in the first place?
> >
> > I'm not saying that it
On 2015-11-18 09:58, Al Viro wrote:
On Wed, Nov 18, 2015 at 08:22:38AM -0600, Seth Forshee wrote:
But it still requires the admin set it up that way, no? And aren't
privileges required to set up those devices in the first place?
I'm not saying that it wouldn't be a good idea to lock down the
On Wed, Nov 18, 2015 at 09:05:12AM -0600, Seth Forshee wrote:
> Yes, the host admin. I'm not talking about trusting the admin inside the
> container at all.
Then why not have the same host admin just plain mount it when setting the
container up and be done with that? From the host namespace,
On Wed, Nov 18, 2015 at 02:10:45PM -0500, Theodore Ts'o wrote:
> On Tue, Nov 17, 2015 at 12:34:44PM -0600, Seth Forshee wrote:
> > On Tue, Nov 17, 2015 at 05:55:06PM +, Al Viro wrote:
> > > On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote:
> > >
> > > > Shortly after that I plan
On Tue, Nov 17, 2015 at 12:34:44PM -0600, Seth Forshee wrote:
> On Tue, Nov 17, 2015 at 05:55:06PM +, Al Viro wrote:
> > On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote:
> >
> > > Shortly after that I plan to follow with support for ext4. I've been
> > > fuzzing ext4 for a while
On 2015-11-17 16:32, Seth Forshee wrote:
On Tue, Nov 17, 2015 at 03:54:50PM -0500, Austin S Hemmelgarn wrote:
On 2015-11-17 14:16, Seth Forshee wrote:
On Tue, Nov 17, 2015 at 02:02:09PM -0500, Austin S Hemmelgarn wrote:
On 2015-11-17 12:55, Al Viro wrote:
On Tue, Nov 17, 2015 at 11:25:51AM
On 2015-11-17 17:01, Seth Forshee wrote:
On Tue, Nov 17, 2015 at 09:05:42PM +, Al Viro wrote:
On Tue, Nov 17, 2015 at 03:39:16PM -0500, Austin S Hemmelgarn wrote:
This is absolutely insane, no matter how much LSM snake oil you slatter on
the whole thing. All of a sudden you are exposing
On Wed, Nov 18, 2015 at 07:23:48AM -0500, Austin S Hemmelgarn wrote:
> On 2015-11-17 16:32, Seth Forshee wrote:
> >On Tue, Nov 17, 2015 at 03:54:50PM -0500, Austin S Hemmelgarn wrote:
> >>On 2015-11-17 14:16, Seth Forshee wrote:
> >>>On Tue, Nov 17, 2015 at 02:02:09PM -0500, Austin S Hemmelgarn
On Wed, Nov 18, 2015 at 07:46:53AM -0500, Austin S Hemmelgarn wrote:
> On 2015-11-17 17:01, Seth Forshee wrote:
> >On Tue, Nov 17, 2015 at 09:05:42PM +, Al Viro wrote:
> >>On Tue, Nov 17, 2015 at 03:39:16PM -0500, Austin S Hemmelgarn wrote:
> >>
> This is absolutely insane, no matter how
On Wed, Nov 18, 2015 at 08:22:38AM -0600, Seth Forshee wrote:
> But it still requires the admin set it up that way, no? And aren't
> privileges required to set up those devices in the first place?
>
> I'm not saying that it wouldn't be a good idea to lock down the backing
> stores for those
On Wed, 18 Nov 2015, Richard Weinberger wrote:
> On Wed, Nov 18, 2015 at 4:13 PM, Al Viro wrote:
> > On Wed, Nov 18, 2015 at 09:05:12AM -0600, Seth Forshee wrote:
> >
> >> Yes, the host admin. I'm not talking about trusting the admin inside the
> >> container at all.
> >
Am 19.11.2015 um 08:47 schrieb James Morris:
> On Wed, 18 Nov 2015, Richard Weinberger wrote:
>
>> On Wed, Nov 18, 2015 at 4:13 PM, Al Viro wrote:
>>> On Wed, Nov 18, 2015 at 09:05:12AM -0600, Seth Forshee wrote:
>>>
Yes, the host admin. I'm not talking about
Hi Eric,
Here's another update to my patches for user namespace mounts, based on
your for-testing branch. These patches add safeguards necessary to allow
unprivileged mounts and update SELinux and Smack to safely handle
device-backed mounts from unprivileged users.
The v2 posting received very
On Tue, Nov 17, 2015 at 05:55:06PM +, Al Viro wrote:
> On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote:
>
> > Shortly after that I plan to follow with support for ext4. I've been
> > fuzzing ext4 for a while now and it has held up well, and I'm currently
> > working on
On 2015-11-17 12:55, Al Viro wrote:
On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote:
Shortly after that I plan to follow with support for ext4. I've been
fuzzing ext4 for a while now and it has held up well, and I'm currently
working on hand-crafted attacks. Ted has commented
On Tue, Nov 17, 2015 at 7:34 PM, Seth Forshee
wrote:
> On Tue, Nov 17, 2015 at 05:55:06PM +, Al Viro wrote:
>> On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote:
>>
>> > Shortly after that I plan to follow with support for ext4. I've been
>> > fuzzing
On Tue, Nov 17, 2015 at 02:02:09PM -0500, Austin S Hemmelgarn wrote:
> On 2015-11-17 12:55, Al Viro wrote:
> >On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote:
> >
> >>Shortly after that I plan to follow with support for ext4. I've been
> >>fuzzing ext4 for a while now and it has held
On Tue, Nov 17, 2015 at 9:21 PM, Seth Forshee
wrote:
>
> On Tue, Nov 17, 2015 at 08:12:31PM +0100, Richard Weinberger wrote:
> > On Tue, Nov 17, 2015 at 7:34 PM, Seth Forshee
> > wrote:
> > > On Tue, Nov 17, 2015 at 05:55:06PM +, Al
On 2015-11-17 14:30, Al Viro wrote:
On Tue, Nov 17, 2015 at 02:02:09PM -0500, Austin S Hemmelgarn wrote:
_Static_ attacks, or change-image-under-mounted-fs attacks?
To properly protect against attacks on mounted filesystems, we'd
need some new concept of a userspace immutable file (that is,
On Tue, Nov 17, 2015 at 03:39:16PM -0500, Austin S Hemmelgarn wrote:
> >This is absolutely insane, no matter how much LSM snake oil you slatter on
> >the whole thing. All of a sudden you are exposing a huge attack surface
> >in the place where it would hurt most and as the consolation we are
Am 17.11.2015 um 20:25 schrieb Octavian Purdila:
> On Tue, Nov 17, 2015 at 9:21 PM, Seth Forshee
> wrote:
>>
>> On Tue, Nov 17, 2015 at 08:12:31PM +0100, Richard Weinberger wrote:
>>> On Tue, Nov 17, 2015 at 7:34 PM, Seth Forshee
>>> wrote:
On Tue, Nov 17, 2015 at 10:12 PM, Richard Weinberger wrote:
> Am 17.11.2015 um 20:25 schrieb Octavian Purdila:
>> On Tue, Nov 17, 2015 at 9:21 PM, Seth Forshee
>> wrote:
>>>
>>> On Tue, Nov 17, 2015 at 08:12:31PM +0100, Richard Weinberger wrote:
On Tue, Nov 17, 2015 at 09:05:42PM +, Al Viro wrote:
> On Tue, Nov 17, 2015 at 03:39:16PM -0500, Austin S Hemmelgarn wrote:
>
> > >This is absolutely insane, no matter how much LSM snake oil you slatter on
> > >the whole thing. All of a sudden you are exposing a huge attack surface
> > >in
On Tue, Nov 17, 2015 at 03:54:50PM -0500, Austin S Hemmelgarn wrote:
> On 2015-11-17 14:16, Seth Forshee wrote:
> >On Tue, Nov 17, 2015 at 02:02:09PM -0500, Austin S Hemmelgarn wrote:
> >>On 2015-11-17 12:55, Al Viro wrote:
> >>>On Tue, Nov 17, 2015 at 11:25:51AM -0600, Seth Forshee wrote:
> >>>
>
28 matches
Mail list logo