Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-05-02 Thread Eric W. Biederman
Kirill Tkhai writes: >>> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c >>> index 2f735cbe05e8..7d8658fbabc8 100644 >>> --- a/kernel/user_namespace.c >>> +++ b/kernel/user_namespace.c >>> @@ -986,19 +986,25 @@ bool userns_may_setgroups(const struct

Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-05-02 Thread Eric W. Biederman
Kirill Tkhai writes: >>> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c >>> index 2f735cbe05e8..7d8658fbabc8 100644 >>> --- a/kernel/user_namespace.c >>> +++ b/kernel/user_namespace.c >>> @@ -986,19 +986,25 @@ bool userns_may_setgroups(const struct user_namespace >>> *ns) >>> }

Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-05-02 Thread Kirill Tkhai
On 02.05.2017 13:03, Kirill Tkhai wrote: > > > On 29.04.2017 22:25, Eric W. Biederman wrote: >> >> It is pointless and confusing to allow a pid namespace hierarchy and >> the user namespace hierarchy to get out of sync. The owner of a child >> pid namespace should be the owner of the parent

Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-05-02 Thread Kirill Tkhai
On 02.05.2017 13:03, Kirill Tkhai wrote: > > > On 29.04.2017 22:25, Eric W. Biederman wrote: >> >> It is pointless and confusing to allow a pid namespace hierarchy and >> the user namespace hierarchy to get out of sync. The owner of a child >> pid namespace should be the owner of the parent

Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-05-02 Thread Kirill Tkhai
On 29.04.2017 22:25, Eric W. Biederman wrote: > > It is pointless and confusing to allow a pid namespace hierarchy and > the user namespace hierarchy to get out of sync. The owner of a child > pid namespace should be the owner of the parent pid namespace or > a descendant of the owner of the

Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-05-02 Thread Kirill Tkhai
On 29.04.2017 22:25, Eric W. Biederman wrote: > > It is pointless and confusing to allow a pid namespace hierarchy and > the user namespace hierarchy to get out of sync. The owner of a child > pid namespace should be the owner of the parent pid namespace or > a descendant of the owner of the

Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-04-29 Thread Eric W. Biederman
ebied...@xmission.com (Eric W. Biederman) writes: > "Serge E. Hallyn" writes: > >> Quoting Eric W. Biederman (ebied...@xmission.com): >>> >>> It is pointless and confusing to allow a pid namespace hierarchy and >>> the user namespace hierarchy to get out of sync. The owner of

Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-04-29 Thread Eric W. Biederman
ebied...@xmission.com (Eric W. Biederman) writes: > "Serge E. Hallyn" writes: > >> Quoting Eric W. Biederman (ebied...@xmission.com): >>> >>> It is pointless and confusing to allow a pid namespace hierarchy and >>> the user namespace hierarchy to get out of sync. The owner of a child >>> pid

Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-04-29 Thread Eric W. Biederman
"Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> >> It is pointless and confusing to allow a pid namespace hierarchy and >> the user namespace hierarchy to get out of sync. The owner of a child >> pid namespace should be the owner of the

Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-04-29 Thread Eric W. Biederman
"Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebied...@xmission.com): >> >> It is pointless and confusing to allow a pid namespace hierarchy and >> the user namespace hierarchy to get out of sync. The owner of a child >> pid namespace should be the owner of the parent pid namespace or

Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-04-29 Thread Serge E. Hallyn
Quoting Eric W. Biederman (ebied...@xmission.com): > > It is pointless and confusing to allow a pid namespace hierarchy and > the user namespace hierarchy to get out of sync. The owner of a child > pid namespace should be the owner of the parent pid namespace or > a descendant of the owner of

Re: [PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-04-29 Thread Serge E. Hallyn
Quoting Eric W. Biederman (ebied...@xmission.com): > > It is pointless and confusing to allow a pid namespace hierarchy and > the user namespace hierarchy to get out of sync. The owner of a child > pid namespace should be the owner of the parent pid namespace or > a descendant of the owner of

[PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-04-29 Thread Eric W. Biederman
It is pointless and confusing to allow a pid namespace hierarchy and the user namespace hierarchy to get out of sync. The owner of a child pid namespace should be the owner of the parent pid namespace or a descendant of the owner of the parent pid namespace. Otherwise it is possible to

[PATCH] userns,pidns: Verify the userns for new pid namespaces

2017-04-29 Thread Eric W. Biederman
It is pointless and confusing to allow a pid namespace hierarchy and the user namespace hierarchy to get out of sync. The owner of a child pid namespace should be the owner of the parent pid namespace or a descendant of the owner of the parent pid namespace. Otherwise it is possible to