From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Kent Subject: Re: call_usermodehelper in containers Date: Wed, 24 Feb 2016 08:55:16 +0800 Message-ID: <1456275316.2933.14.camel@themaw.net> References: <871u2incyo.fsf@xmission.com> <20131118172844.GA10005@redhat.com> <1455149857.2903.9.camel@themaw.net> <8737sq4teb.fsf@x220.int.ebiederm.org> <56C53DE3.1070108@jp.fujitsu.com> <1455777387.3188.24.camel@themaw.net> <1455781033.2908.5.camel@themaw.net> <87r3g9ychc.fsf@x220.int.ebiederm.org> <1455858850.3356.19.camel@themaw.net> <1456196130.2911.10.camel@themaw.net> <20160223143627.GB31951@fieldses.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20160223143627.GB31951-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "J. Bruce Fields" Cc: linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Stanislav Kinsbursky , Jeff Layton , Greg KH , Linux Containers , Oleg Nesterov , linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, devel-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org, "Eric W. Biederman" , bharrosh-C4P08NqkoRlBDgjK7y7TUQ@public.gmane.org, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: containers.vger.kernel.org On Tue, 2016-02-23 at 09:36 -0500, J. Bruce Fields wrote: > On Tue, Feb 23, 2016 at 10:55:30AM +0800, Ian Kent wrote: > > You know, wrt. the mechanism Oleg suggested, I've been wondering if > > it's > > even necessary to capture process template information for > > execution. > > > > Isn't the main issue the execution of unknown arbitrary objects > > getting > > access to a privileged context? > > > > Then perhaps it is sufficient to require registration of an SHA hash > > (of > > some sort) for these objects by a suitably privileged process and > > only > > allow helper execution of valid objects. > > That executable probably also depends on libraries, services, and tons > of other miscellaneous stuff in its environment. The NFSv4 client > idmapper, for example, may be doing ldap calls. Unless the helper is > created with incredible care, I don't think that it's enough just to > verify that you're executing the correct helper. Yeah, I was thinking the logistics of keeping something like this up to date would be hard but calculating this for every call would be too much overhead I think. > > --b. > > > > > If that is sufficient then helper execution from within a container > > or > > user namespace could just use the callers environment itself. > > > > What else do we need to be wary of, any thoughts Eric? > > > > Ian From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754081AbcBXAz2 (ORCPT ); Tue, 23 Feb 2016 19:55:28 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:42251 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753357AbcBXAzZ (ORCPT ); Tue, 23 Feb 2016 19:55:25 -0500 X-Sasl-enc: HlYZlTT1mAM9qx3RT20gZH6DtyDRuoYSykKP98rqALEw 1456275323 Message-ID: <1456275316.2933.14.camel@themaw.net> Subject: Re: call_usermodehelper in containers From: Ian Kent To: "J. Bruce Fields" Cc: "Eric W. Biederman" , Kamezawa Hiroyuki , Oleg Nesterov , Stanislav Kinsbursky , Jeff Layton , Greg KH , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org, devel@openvz.org, bharrosh@panasas.com, Linux Containers Date: Wed, 24 Feb 2016 08:55:16 +0800 In-Reply-To: <20160223143627.GB31951@fieldses.org> References: <871u2incyo.fsf@xmission.com> <20131118172844.GA10005@redhat.com> <1455149857.2903.9.camel@themaw.net> <8737sq4teb.fsf@x220.int.ebiederm.org> <56C53DE3.1070108@jp.fujitsu.com> <1455777387.3188.24.camel@themaw.net> <1455781033.2908.5.camel@themaw.net> <87r3g9ychc.fsf@x220.int.ebiederm.org> <1455858850.3356.19.camel@themaw.net> <1456196130.2911.10.camel@themaw.net> <20160223143627.GB31951@fieldses.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.16.5 (3.16.5-3.fc22) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2016-02-23 at 09:36 -0500, J. Bruce Fields wrote: > On Tue, Feb 23, 2016 at 10:55:30AM +0800, Ian Kent wrote: > > You know, wrt. the mechanism Oleg suggested, I've been wondering if > > it's > > even necessary to capture process template information for > > execution. > > > > Isn't the main issue the execution of unknown arbitrary objects > > getting > > access to a privileged context? > > > > Then perhaps it is sufficient to require registration of an SHA hash > > (of > > some sort) for these objects by a suitably privileged process and > > only > > allow helper execution of valid objects. > > That executable probably also depends on libraries, services, and tons > of other miscellaneous stuff in its environment. The NFSv4 client > idmapper, for example, may be doing ldap calls. Unless the helper is > created with incredible care, I don't think that it's enough just to > verify that you're executing the correct helper. Yeah, I was thinking the logistics of keeping something like this up to date would be hard but calculating this for every call would be too much overhead I think. > > --b. > > > > > If that is sufficient then helper execution from within a container > > or > > user namespace could just use the callers environment itself. > > > > What else do we need to be wary of, any thoughts Eric? > > > > Ian