Home » Mailing lists » Devel » userns: targeted capabilities v5
| Re: User namespaces and keys [message #41853 is a reply to message #41851] |
Wed, 23 February 2011 15:06   |
David Howells
Messages: 44
Registered: October 2006
|
Member |
|
|
Serge E. Hallyn <serge@hallyn.com> wrote:
> > I guess we need to look at how to mix keys and namespaces again.
>
> From strictly kernel pov, at the moment, keys are strictly usable only
> by the user in your own user namespace.
I'm not sure that's currently completely true. Key quota maintenance is
namespaced, and the key's owner UID/GID belong to that namespace, so that's
okay, but:
(*) key_task_permission() does not distinguish UIDs and GIDs from different
namespaces.
(*) A key can be referred to by its serial number, no matter whose namespace
it is in, and will yield up its given UID/GID, even if these aren't
actually meaningful in your namespace.
This means request_key() can successfully upcall at the moment.
I wonder if I should make the following changes:
(1) If the key and the accessor are in different user namespaces, then skip
the UID and GID comparisons in key_task_permission(). That means that to
be able to access the key you'd have to possess the key and the key would
have to grant you Possessor access, or the key would have to grant you
Other access.
(2) If the key and someone viewing the key description are in different
namespaces, then indicate that the UID and the GID are -1, irrespective of
the actual values.
(3) When an upcall is attempting to instantiate a key, it is allowed to access
the keys of requestor using the requestor's credentials (UID, GID, groups,
security label). Ensure that this will be done in the requestor's user
namespace.
Nothing should need to be done here, since search_process_keyrings()
switches to the requestor's creds.
Oh, and are security labels user-namespaced?
> We may want to look at this again, but for now I think that would be a
> safe enough default. Later, we'll probably want the user creating a
> child_user_ns to allow his keys to be inherited by the child user_ns.
That depends what you mean by 'allow his keys to be inherited'. Do you mean
copying all the creator's keys en mass? You may find all you need to do is to
provide the new intended user with a new session keyring with a link back to
the creator's session keyring.
> Though, as I type that, it seems to me that that'll just become a
> maintenance pain, and it's just plain safer to have the user re-enter
> his keys,
That would certainly be simpler.
> sharing them over a file if needed.
I'm not sure what you mean by that. Do you mean some sort of cred passing
similar to that that can be done over AF_UNIX sockets with fds?
> I'm going to not consider the TPM at the moment :)
I'm not sure the TPM is that much of a problem, assuming you're just referring
to its keystore capability...
David
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containe rs
|
|
|
|
 |
|
userns: targeted capabilities v5
By: serge on Thu, 17 February 2011 15:02 |
|
|
[PATCH 2/9] security: Make capabilities relative to the user namespace.
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: ebiederm on Fri, 18 February 2011 03:46 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: serge on Wed, 23 February 2011 13:43 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
[PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: serge on Thu, 17 February 2011 15:04 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: ebiederm on Fri, 18 February 2011 01:29 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: serge on Thu, 24 February 2011 03:24 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: akpm on Thu, 24 February 2011 05:08 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
|
|
|
[PATCH 7/9] add a user namespace owner of ipc ns
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
By: ebiederm on Fri, 18 February 2011 03:19 |
|
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
|
|
|
[PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: serge on Thu, 17 February 2011 15:02 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Fri, 18 February 2011 03:31 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Wed, 23 February 2011 21:21 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Wed, 23 February 2011 23:54 |
|
|
[PATCH 3/9] allow sethostname in a container
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 3/9] allow sethostname in a container
By: ebiederm on Fri, 18 February 2011 03:05 |
|
|
Re: [PATCH 3/9] allow sethostname in a container
|
|
|
[PATCH 4/9] allow killing tasks in your own or child userns
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: ebiederm on Fri, 18 February 2011 03:00 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: serge on Thu, 24 February 2011 00:48 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: akpm on Thu, 24 February 2011 00:54 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
|
|
|
[PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: ebiederm on Fri, 18 February 2011 01:57 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: akpm on Sat, 19 February 2011 00:01 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
|
|
|
[PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: ebiederm on Fri, 18 February 2011 02:59 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Fri, 18 February 2011 04:36 |
|
|
[PATCH] userns: ptrace: incorporate feedback from Eric
By: serge on Thu, 24 February 2011 00:49 |
|
|
Re: [PATCH] userns: ptrace: incorporate feedback from Eric
By: akpm on Thu, 24 February 2011 00:56 |
|
|
Re: [PATCH] userns: ptrace: incorporate feedback from Eric
By: serge on Thu, 24 February 2011 03:15 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Thu, 24 February 2011 00:43 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
|
|
[PATCH 8/9] user namespaces: convert several capable() calls
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 8/9] user namespaces: convert several capable() calls
By: ebiederm on Fri, 18 February 2011 01:51 |
|
|
Re: [PATCH 8/9] user namespaces: convert several capable() calls
|
|
|
Re: userns: targeted capabilities v5
By: akpm on Fri, 18 February 2011 00:21 |
|
|
Re: userns: targeted capabilities v5
By: ebiederm on Fri, 18 February 2011 03:53 |
|
|
Re: userns: targeted capabilities v5
By: serge on Fri, 18 February 2011 04:28 |
|
|
User namespaces and keys
|
|
|
Re: User namespaces and keys
By: serge on Wed, 23 February 2011 13:58 |
|
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 14:46 |
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 15:45 |
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 20:55 |
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
By: ebiederm on Thu, 24 February 2011 06:56 |
Goto Forum:
Current Time: Tue Sep 16 14:45:38 GMT 2025
Total time taken to generate the page: 0.47075 seconds
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
