Home » Mailing lists » Devel » userns: targeted capabilities v5
| Re: [PATCH 2/9] security: Make capabilities relative to the user namespace. [message #41850 is a reply to message #41847] |
Wed, 23 February 2011 13:43   |
serge
Messages: 72
Registered: January 2007
|
Member |
|
|
Quoting David Howells (dhowells@redhat.com):
> David Howells <dhowells@redhat.com> wrote:
>
> > > int (*capable) (struct task_struct *tsk, const struct cred *cred,
> > > - int cap, int audit);
> > > + struct user_namespace *ns, int cap, int audit);
> >
> > Hmmm... A chunk of the contents of the cred struct are user-namespaced.
> > Could you add the user_namespace pointer to the cred struct and thus avoid
> > passing it as an argument to other things.
>
> Ah, no... Ignore that, I think I see that you do need it.
Thanks for reviewing, David.
> > +int cap_capable(struct task_struct *tsk, const struct cred *cred,
> > + struct user_namespace *targ_ns, int cap, int audit)
> > {
> > - return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
> > + for (;;) {
> > + /* The creator of the user namespace has all caps. */
> > + if (targ_ns != &init_user_ns && targ_ns->creator == cred->user)
> > + return 0;
>
> Why is that last comment so? Why should the creating namespace sport all
> possible capabilities? Do you have to have all capabilities available to you
> to be permitted create a new user namespace?
It's not the creating namespace, but the creating user, which has all caps.
So for instance, if uid 500 in init_user_ns creates a namespace, then:
a. uid 500 in init_user_ns has all caps to the child user_ns, so it can
kill the tasks in the userns, clean up, etc.
b. uid X in any other child user_ns has no caps to the child user_ns.
c. root in init_user_ns has whatever capabilities are in his pE to the
child user_ns. Again, this is so that the admin in any user_ns can
clean up any messes made by users in his user_ns.
One of the goals of the user namespaces it to make it safe to allow
unprivileged users to create child user namespaces in which they have
targeted privilege. Anything which happens in that child user namespace
should be:
a. constrained to resources which the user can control anyway
b. able to be cleaned up by the user
c. (especially) able to be cleaned up by the privileged user in the
parent user_ns.
> Also, would it be worth having a separate cap_ns_capable()? Wouldn't most
> calls to cap_capable() only be checking the caps granted in the current user
> namespace?
Hm. There is nsown_capable() which is targeted to current_userns(), but
that still needs to enable the caps for the privileged ancestors as
described above.
thanks,
-serge
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containe rs
|
|
|
|
 |
|
userns: targeted capabilities v5
By: serge on Thu, 17 February 2011 15:02 |
|
|
[PATCH 2/9] security: Make capabilities relative to the user namespace.
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: ebiederm on Fri, 18 February 2011 03:46 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
By: serge on Wed, 23 February 2011 13:43 |
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
Re: [PATCH 2/9] security: Make capabilities relative to the user namespace.
|
|
|
[PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: serge on Thu, 17 February 2011 15:04 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: ebiederm on Fri, 18 February 2011 01:29 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: serge on Thu, 24 February 2011 03:24 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
By: akpm on Thu, 24 February 2011 05:08 |
|
|
Re: [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks
|
|
|
[PATCH 7/9] add a user namespace owner of ipc ns
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
By: ebiederm on Fri, 18 February 2011 03:19 |
|
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 7/9] add a user namespace owner of ipc ns
|
|
|
[PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: serge on Thu, 17 February 2011 15:02 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Fri, 18 February 2011 03:31 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Wed, 23 February 2011 21:21 |
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
|
|
|
Re: [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace
By: ebiederm on Wed, 23 February 2011 23:54 |
|
|
[PATCH 3/9] allow sethostname in a container
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 3/9] allow sethostname in a container
By: ebiederm on Fri, 18 February 2011 03:05 |
|
|
Re: [PATCH 3/9] allow sethostname in a container
|
|
|
[PATCH 4/9] allow killing tasks in your own or child userns
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: ebiederm on Fri, 18 February 2011 03:00 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: serge on Thu, 24 February 2011 00:48 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
By: akpm on Thu, 24 February 2011 00:54 |
|
|
Re: [PATCH 4/9] allow killing tasks in your own or child userns
|
|
|
[PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: ebiederm on Fri, 18 February 2011 01:57 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
By: akpm on Sat, 19 February 2011 00:01 |
|
|
Re: [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c
|
|
|
[PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: ebiederm on Fri, 18 February 2011 02:59 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Fri, 18 February 2011 04:36 |
|
|
[PATCH] userns: ptrace: incorporate feedback from Eric
By: serge on Thu, 24 February 2011 00:49 |
|
|
Re: [PATCH] userns: ptrace: incorporate feedback from Eric
By: akpm on Thu, 24 February 2011 00:56 |
|
|
Re: [PATCH] userns: ptrace: incorporate feedback from Eric
By: serge on Thu, 24 February 2011 03:15 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: akpm on Fri, 18 February 2011 23:59 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
By: serge on Thu, 24 February 2011 00:43 |
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
|
|
Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
|
|
|
[PATCH 8/9] user namespaces: convert several capable() calls
By: serge on Thu, 17 February 2011 15:03 |
|
|
Re: [PATCH 8/9] user namespaces: convert several capable() calls
By: ebiederm on Fri, 18 February 2011 01:51 |
|
|
Re: [PATCH 8/9] user namespaces: convert several capable() calls
|
|
|
Re: userns: targeted capabilities v5
By: akpm on Fri, 18 February 2011 00:21 |
|
|
Re: userns: targeted capabilities v5
By: ebiederm on Fri, 18 February 2011 03:53 |
|
|
Re: userns: targeted capabilities v5
By: serge on Fri, 18 February 2011 04:28 |
|
|
User namespaces and keys
|
|
|
Re: User namespaces and keys
By: serge on Wed, 23 February 2011 13:58 |
|
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 14:46 |
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 15:45 |
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
By: ebiederm on Wed, 23 February 2011 20:55 |
|
|
Re: User namespaces and keys
|
|
|
Re: User namespaces and keys
By: ebiederm on Thu, 24 February 2011 06:56 |
Goto Forum:
Current Time: Wed Sep 18 03:39:30 GMT 2024
Total time taken to generate the page: 0.05003 seconds
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
