[Devel] Re: [PATCH 1/1] RFC: taking a crack at targeted capabilities

Eric W. Biederman ebiederm at xmission.com
Mon Feb 15 03:06:10 PST 2010


"Serge E. Hallyn" <serue at us.ibm.com> writes:

> Quoting Eric W. Biederman (ebiederm at xmission.com):
>> "Serge E. Hallyn" <serue at us.ibm.com> writes:
>> 
>> > So i was thinking about how to safely but incrementally introduce
>> > targeted capabilities - which we decided was a prereq to making VFS
>> > handle user namespaces - and the following seemed doable.  My main
>> > motivations were (in order):
>> >
>> >         1. don't make any unconverted capable() checks unsafe
>> >         2. minimize performance impact on non-container case
>> >         3. minimize performance impact on containers
>> 
>> My motivation is a bit different.  I would like to get to the
>> unprivileged creation of new namespaces.  It looks like this gets us
>> 90% of the way there, with only potential uid confusion issues left.
>
> Just a pair of instances of uid comparison are now addressed in
>
> 	http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/sergeh/linux-cr.git;a=shortlog;h=refs/heads/feb13.userns.uid_equivs
>
> which has your patch "taking a crack at targeted capabilities" at its
> core.  Talk about your baby steps...  But I need to go back and re-read
> what we'd discussed over the last few years about how we wanted to
> tag superblocks/mounts->inodes before I go on.
>
> Anyway now uid equivalence checks are ns-aware for basic vfs_permission
> and task kill at least.  It's a start.

Thanks for keeping this alive.

I took a quick skim through your patches and things look a little rough
(you are patching your patches) but it looks like you are wrapping your
head around the ideas pretty well, and the ns_capable etc seem to be working.
Hooray!

The big idea was that the generic filesystem interface would speak multiple
uid namespaces, and the generic default would do something simple and pick
a single namespace for all of the comparisons to be against.  Then we would
have a generic library for filesystem to implement mount options describing
how they wanted to map uids in different namespaces into what they could
store on the filesystem.

Eric
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list