Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups

On November 17, 2014 1:46:59 PM EST, Andy Lutomirski wrote: >On Mon, Nov 17, 2014 at 10:31 AM, Andy Lutomirski >wrote: >> On Mon, Nov 17, 2014 at 10:06 AM, Casey Schaufler >> wrote: >>> On 11/15/2014 1:01 AM, Josh Triplett wrote: Currently, unprivileged processes (without CAP_SETGID)

Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups

On November 17, 2014 1:07:30 PM EST, Andy Lutomirski wrote: >On Nov 17, 2014 3:37 AM, "One Thousand Gnomes" > wrote: >> >> > optional), I can do that too. The security model of "having a >group >> > gives you less privilege than not having it" seems crazy, but >> > nonetheless I can see a

Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups

On November 17, 2014 1:07:30 PM EST, Andy Lutomirski l...@amacapital.net wrote: On Nov 17, 2014 3:37 AM, One Thousand Gnomes gno...@lxorguk.ukuu.org.uk wrote: optional), I can do that too. The security model of having a group gives you less privilege than not having it seems crazy, but

Re: [PATCH 2/2] groups: Allow unprivileged processes to use setgroups to drop groups

On November 17, 2014 1:46:59 PM EST, Andy Lutomirski l...@amacapital.net wrote: On Mon, Nov 17, 2014 at 10:31 AM, Andy Lutomirski l...@amacapital.net wrote: On Mon, Nov 17, 2014 at 10:06 AM, Casey Schaufler ca...@schaufler-ca.com wrote: On 11/15/2014 1:01 AM, Josh Triplett wrote: Currently,

Re: [PATCH 1/3] fs: add O_BENEATH flag to openat(2)

On November 3, 2014 7:42:58 AM PST, Andy Lutomirski wrote: >On Mon, Nov 3, 2014 at 7:20 AM, Al Viro >wrote: >> On Mon, Nov 03, 2014 at 11:48:23AM +, David Drysdale wrote: >>> Add a new O_BENEATH flag for openat(2) which restricts the >>> provided path, rejecting (with -EACCES) paths that

Re: [PATCH 1/3] fs: add O_BENEATH flag to openat(2)

On November 3, 2014 7:42:58 AM PST, Andy Lutomirski l...@amacapital.net wrote: On Mon, Nov 3, 2014 at 7:20 AM, Al Viro v...@zeniv.linux.org.uk wrote: On Mon, Nov 03, 2014 at 11:48:23AM +, David Drysdale wrote: Add a new O_BENEATH flag for openat(2) which restricts the provided path,

Re: [RFC] dealing with proc_ns_follow_link() and "namespace" dentries

On November 1, 2014 8:06:20 AM PDT, Al Viro wrote: >On Sat, Nov 01, 2014 at 08:38:04AM +, Al Viro wrote: >> OK, interim branch (_completely_ untested, and there's quite a bit of >> work remaining) is in vfs.git#nsfs. > >... except that what got pushed was completely buggered - the last

Re: [RFC] dealing with proc_ns_follow_link() and namespace dentries

On November 1, 2014 8:06:20 AM PDT, Al Viro v...@zeniv.linux.org.uk wrote: On Sat, Nov 01, 2014 at 08:38:04AM +, Al Viro wrote: OK, interim branch (_completely_ untested, and there's quite a bit of work remaining) is in vfs.git#nsfs. ... except that what got pushed was completely buggered

Re: [PATCHv1 7/8] cgroup: cgroup namespace setns support

On October 19, 2014 1:26:29 PM CDT, Andy Lutomirski wrote: >On Sat, Oct 18, 2014 at 10:23 PM, Eric W. Biederman > wrote: >> "Serge E. Hallyn" writes: >> >>> Quoting Aditya Kali (adityak...@google.com): On Thu, Oct 16, 2014 at 2:12 PM, Serge E. Hallyn >wrote: > Quoting Aditya Kali

Re: [PATCHv1 7/8] cgroup: cgroup namespace setns support

On October 19, 2014 1:26:29 PM CDT, Andy Lutomirski l...@amacapital.net wrote: On Sat, Oct 18, 2014 at 10:23 PM, Eric W. Biederman ebied...@xmission.com wrote: Serge E. Hallyn se...@hallyn.com writes: Quoting Aditya Kali (adityak...@google.com): On Thu, Oct 16, 2014 at 2:12 PM, Serge E.