From mboxrd@z Thu Jan  1 00:00:00 1970
From: Serge Hallyn <serge.hallyn@canonical.com>
Subject: Re: [REVIEW][PATCH 0/43] Completing the user namespace
Date: Tue, 10 Apr 2012 23:16:36 -0500
Message-ID: <20120411041636.GB7153@sergelap>
References: <m11unyn70b.fsf@fess.ebiederm.org>
 <4F84838B.8000408@mit.edu>
 <m14nsrxn6v.fsf@fess.ebiederm.org>
 <CAObL_7F2oHtOoDkvNM1io=dovKENNTxS4EDPkr4ns9AEdFqwaQ@mail.gmail.com>
 <m14nsrtady.fsf@fess.ebiederm.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Andrew Lutomirski <luto@mit.edu>,
	Markus Gutschke <markus@chromium.org>,
	Will Drewry <wad@chromium.org>,
	Cyrill Gorcunov <gorcunov@openvz.org>,
	linux-security-module@vger.kernel.org,
	Al Viro <viro@zeniv.linux.org.uk>,
	linux-fsdevel@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Return-path: <linux-security-module-owner@vger.kernel.org>
Content-Disposition: inline
In-Reply-To: <m14nsrtady.fsf@fess.ebiederm.org>
Sender: linux-security-module-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

Quoting Eric W. Biederman (ebiederm@xmission.com):
> Andrew Lutomirski <luto@mit.edu> writes:
> Still given that you aren't doing the very restrictive current_cred()
> must not change I don't know how it matters, and a bpf based seccomp can
> pretty easily filter out new user namespace creation.  Shrug.

I very much want and intend to use both user namespaces and seccomp2
together.  Speaking in terms of the old userns implementation, once
a container has been created, no child of my task will change uid/gid
or gain/move capabilities in the original user namespace.  But they're
free to do so at will in the child user namespace.  Since the capabilities
are targeted at the child namespaces, that's fine.  And as Eric noted
the user namespaces will allow us to increase the attack surface, but
at the same time I'm hoping to offset that somewhat using seccomp2.

-serge