Re: [lxc-devel] [PATCH RFC] Introduce new security.nscapability xattr

On Wed, Jan 27, 2016 at 9:22 AM, Jann Horn wrote: > I think it sounds good from a security perspective. I'm a bit late to the game, but I have a question: why should this be keyed to the *root* uid of the namespace in particular? Certainly if user foo trusts the cap bits on some file, then user

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

On Mon, Sep 29, 2014 at 8:07 PM, Serge Hallyn wrote: > Quoting Andy Lutomirski (l...@amacapital.net): >> On Mon, Sep 29, 2014 at 4:36 PM, Eric W. Biederman >> wrote: >> > Andy Lutomirski writes: >> > >> >> On Mon, Sep 29, 2014 at 4:22 PM, Eric W. B

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

On Mon, Sep 29, 2014 at 4:36 PM, Eric W. Biederman wrote: > Andy Lutomirski writes: > >> On Mon, Sep 29, 2014 at 4:22 PM, Eric W. Biederman >> wrote: >>> Andy Lutomirski writes: >>> >>>> To me, this smells like MNT_DETACH does something awful whe

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

On Mon, Sep 29, 2014 at 4:22 PM, Eric W. Biederman wrote: > Andy Lutomirski writes: > >> To me, this smells like MNT_DETACH does something awful when there are >> mounts under the detached mount. >> >> For example: >> >> mount --rbind / /mnt >>

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

On Mon, Sep 29, 2014 at 4:13 PM, Andy Lutomirski wrote: > On Mon, Sep 29, 2014 at 4:07 PM, Eric W. Biederman > wrote: >> Andy Lutomirski writes: >> >>> On Mon, Sep 29, 2014 at 3:46 PM, Serge Hallyn >>> wrote: >>>> Quoting Andy Lutomirski (l...@

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

On Mon, Sep 29, 2014 at 4:07 PM, Eric W. Biederman wrote: > Andy Lutomirski writes: > >> On Mon, Sep 29, 2014 at 3:46 PM, Serge Hallyn >> wrote: >>> Quoting Andy Lutomirski (l...@amacapital.net): >>>> On Mon, Sep 29, 2014 at 2:46 PM, Serge Hallyn &g

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

On Mon, Sep 29, 2014 at 3:46 PM, Serge Hallyn wrote: > Quoting Andy Lutomirski (l...@amacapital.net): >> On Mon, Sep 29, 2014 at 2:46 PM, Serge Hallyn >> wrote: >> I'm not sure that "/" is well-defined. You have oldroot mounted on > > Whoa. Seems

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

On Mon, Sep 29, 2014 at 2:46 PM, Serge Hallyn wrote: > Quoting Andy Lutomirski (l...@amacapital.net): >> On Mon, Sep 29, 2014 at 1:55 PM, Serge Hallyn >> wrote: >> > Quoting Dwight Engen (dwight.en...@oracle.com): >> >> On Sat, 20 Sep 2014 03:1

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

On Mon, Sep 29, 2014 at 2:06 PM, Andy Lutomirski wrote: > On Mon, Sep 29, 2014 at 1:55 PM, Serge Hallyn wrote: >> Quoting Dwight Engen (dwight.en...@oracle.com): >>> On Sat, 20 Sep 2014 03:15:44 + >>> Serge Hallyn wrote: >>> >>> > This ide

Re: [lxc-devel] [PATCH 1/1] pivot_root: switch to a new mechanism (v2)

On Mon, Sep 29, 2014 at 1:55 PM, Serge Hallyn wrote: > Quoting Dwight Engen (dwight.en...@oracle.com): >> On Sat, 20 Sep 2014 03:15:44 + >> Serge Hallyn wrote: >> >> > This idea came from Andy Lutomirski. Instead of using a >> > temporary directory f

Re: [lxc-devel] [RFC PATCH 0/2] Loop device psuedo filesystem

On Wed, May 28, 2014 at 12:32 AM, Seth Forshee wrote: > On Tue, May 27, 2014 at 03:19:15PM -0700, Andy Lutomirski wrote: >> On Tue, May 27, 2014 at 2:58 PM, Seth Forshee >> wrote: >> > I'm posting these patches in response to the ongoing discussion of loop >

Re: [lxc-devel] [RFC PATCH 0/2] Loop device psuedo filesystem

On Tue, May 27, 2014 at 2:58 PM, Seth Forshee wrote: > I'm posting these patches in response to the ongoing discussion of loop > devices in containers at [1]. > > The patches implement a psuedo filesystem for loop devices, which will > allow use of loop devices in containters using standard utilit

Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces

On Fri, May 23, 2014 at 6:16 AM, James Bottomley wrote: > On Fri, 2014-05-23 at 11:20 +0300, Marian Marinov wrote: >> On 05/20/2014 05:19 PM, Serge Hallyn wrote: >> > Quoting Andy Lutomirski (l...@amacapital.net): >> >> On May 15, 2014 1:26 PM, "Serge E. Ha

Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces

On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote: > > Quoting Richard Weinberger (rich...@nod.at): > > Am 15.05.2014 21:50, schrieb Serge Hallyn: > > > Quoting Richard Weinberger (richard.weinber...@gmail.com): > > >> On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman > > >> wrote: > > >>> Then

Re: [lxc-devel] ioctl CAP_LINUX_IMMUTABLE is checked in the wrong namespace

On 04/29/2014 06:49 AM, Marian Marinov wrote: > Hello, > when using user namespaces I found a bug in the capability checks done > by ioctl. > > If someone tries to use chattr +i while in a different user namespace it > will get the following: > > ioctl(3, EXT2_IOC_SETFLAGS, 0x7fffa4fedacc) = -

Re: [lxc-devel] Kernel bug? Setuid apps and user namespaces

On Fri, Apr 11, 2014 at 3:46 PM, Serge E. Hallyn wrote: > Quoting Andy Lutomirski (l...@amacapital.net): >> On Fri, Apr 11, 2014 at 3:29 PM, Serge E. Hallyn wrote: >> > Quoting Andy Lutomirski (l...@amacapital.net): >> >> On Fri, Apr 11, 2014 at 2:52 PM, Serge E.

Re: [lxc-devel] Kernel bug? Setuid apps and user namespaces

On Fri, Apr 11, 2014 at 3:29 PM, Serge E. Hallyn wrote: > Quoting Andy Lutomirski (l...@amacapital.net): >> On Fri, Apr 11, 2014 at 2:52 PM, Serge E. Hallyn wrote: >> > Quoting Andy Lutomirski (l...@amacapital.net): >> >> On Mon, Apr 7, 2014 at 11:13 AM, Serge E.

Re: [lxc-devel] Kernel bug? Setuid apps and user namespaces

On Fri, Apr 11, 2014 at 2:52 PM, Serge E. Hallyn wrote: > Quoting Andy Lutomirski (l...@amacapital.net): >> On Mon, Apr 7, 2014 at 11:13 AM, Serge E. Hallyn wrote: >> > Quoting Andy Lutomirski (l...@amacapital.net): >> >> I'm starting to think that we n

Re: [lxc-devel] Kernel bug? Setuid apps and user namespaces

On Mon, Apr 7, 2014 at 11:13 AM, Serge E. Hallyn wrote: > Quoting Andy Lutomirski (l...@amacapital.net): >> I'm starting to think that we need to extend dumpable to something >> much more general like a list of struct creds that someone needs to be >> able to ptrace, *in

Re: [lxc-devel] Kernel bug? Setuid apps and user namespaces

On Fri, Apr 4, 2014 at 12:10 PM, Serge Hallyn wrote: > Quoting Andy Lutomirski (l...@amacapital.net): >> On Fri, Apr 4, 2014 at 11:30 AM, Serge Hallyn >> wrote: >> > Quoting Andy Lutomirski (l...@amacapital.net): >> >> On 04/02/2014 10:32 AM, Serge E. Ha

Re: [lxc-devel] Kernel bug? Setuid apps and user namespaces

On Fri, Apr 4, 2014 at 11:30 AM, Serge Hallyn wrote: > Quoting Andy Lutomirski (l...@amacapital.net): >> On 04/02/2014 10:32 AM, Serge E. Hallyn wrote: >> > (Sorry - the lxc-devel list has moved, so replying to all with the >> > correct list address; please reply to t

Re: [lxc-devel] Kernel bug? Setuid apps and user namespaces

On 04/02/2014 10:32 AM, Serge E. Hallyn wrote: > (Sorry - the lxc-devel list has moved, so replying to all with the > correct list address; please reply to this rather than my previous > email) > > Quoting Serge Hallyn (serge.hal...@ubuntu.com): >> Hi Eric, >> >> (sorry, I don't seem to have the