[Devel] Re: [RFC][PATCH 0/2] user namespace [try #2]
Kirill Korotaev
dev at sw.ru
Thu Sep 7 08:40:23 PDT 2006
> Here's a stab at semantics for how to handle file access. Should be
> pretty simple to implement, but i won't get a chance to implement this
> week.
>
> At mount, by default the vfsmount is tagged with a uid_ns.
> A new -o uid_ns=<pid> option instead tags the vfsmount with the uid_ns
> belonging to pid <pid>. Since any process in a descendent pid
> namespace should still have a valid pid in the ancestor
> pidspaces, this should work fine.
> At vfs_permission, if current->nsproxy->uid_ns != file->f_vfsmnt->uid_ns,
> 1. If file is owned by root, then read permission is granted
> 2. If file is owned by non-root, no permission is granted
> (regardless of process uid)
>
> Does this sound reasonable?
imho this in acceptable for OpenVZ as makes VE files to be inaccessiable from
host. At least this is how I understand your idea...
Am I correct?
> I assume the list of other things we'll need to consider includes
> signals between user namespaces
> keystore
> sys_setpriority and the like
> I might argue that all of these should be sufficiently protected
> by proper setup by userspace. Can you explain why that is not
> the case?
The same requirement (ability to send signals from host to VE)
is also applicable to signals.
Thanks,
Kirill
More information about the Devel
mailing list