From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
To: Amir Goldstein <amir73il@gmail.com>,
James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: Christoph Hellwig <hch@infradead.org>,
Djalal Harouni <tixxdz@gmail.com>, Chris Mason <clm@fb.com>,
Theodore Tso <tytso@mit.edu>,
Josh Triplett <josh@joshtriplett.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andy Lutomirski <luto@kernel.org>,
Seth Forshee <seth.forshee@canonical.com>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Dongsu Park <dongsu@endocode.com>,
David Herrmann <dh.herrmann@googlemail.com>,
Miklos Szeredi <mszeredi@redhat.com>,
Alban Crequy <alban.crequy@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
"Serge E. Hallyn" <serge@hallyn.com>,
Phil Estes <estesp@gmail.com>
Subject: Re: [RFC 1/1] shiftfs: uid/gid shifting bind mount
Date: Wed, 8 Feb 2017 14:45:08 +0300 [thread overview]
Message-ID: <e3ee0c34-9385-09d7-94fd-961a7a2f4f6a@yandex-team.ru> (raw)
In-Reply-To: <CAOQ4uxiSL+ooYB+=8AJHgnw6GWwgtkAn=8qGVOEnJdZJR0OcoQ@mail.gmail.com>
On 08.02.2017 09:44, Amir Goldstein wrote:
> On Wed, Feb 8, 2017 at 1:42 AM, James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
>> On Tue, 2017-02-07 at 14:25 -0800, Christoph Hellwig wrote:
>>> On Tue, Feb 07, 2017 at 11:01:29PM +0200, Amir Goldstein wrote:
>>>> Project id's are not exactly "subtree" semantic, but inheritance
>>>> semantics,
>>>> which is not the same when non empty directories get their project
>>>> id changed.
>>>> Here is a recap:
>>>> https://lwn.net/Articles/623835/
>>>
>>> Yes - but if we abuse them for containers we could refine the
>>> semantics to simply not allow change of project ids from inside
>>> containers based on say capabilities.
>>
>
> You mean something like this:
> https://lwn.net/Articles/632917/
>
> With the suggested protected_projects, projid 0 (also inside container)
> gets a special meaning, much like user 0, so we may do interesting
> things with the projid that is mapped to 0.
>
>> We can't really abuse projectid, it's part of the user namespace
>> mapping (for project quota). What we can do is have a new id that
>> behaves like it.
>>
>
> Perhaps we *can* use projid without abusing it.
> userns already maps projids, but there is no concept of "owning project"
> for a userns, nor does it make a lot of sense, because projid is not
> part of the credentials.
> But if we re-brand it as "container root projid", we can try to use it
> for defining semantics to grant unprivileged access to a subtree.
>
> The functionality you are trying to get with shiftfs mark does
> sounds a bit like "container root projid":
> - inodes with mapped projid MAY be uid/gid shifted
> - inodes with unmapped projid MAY NOT
>
> I realize this may be very raw, but its a start. If you like this
> direction we can try to develop it.
>
>> But like I said, we don't really need a ful ID, it would basically just
>> be a single bit mark to say remap or not when doing permission checks
>> against this inode. It would follow some of the project id semantics
>> (like inheritance from parent dir)
>>
>
> But a single bit would only work for single level of userns nesting won't it?
>
>
>>>> I guess we should define the semantics for the required sub-tree
>>>> marking, before we can talk about solutions.
>>>
>>> Good plan.
>>
>> So I've been thinking about how to do this without subtree marking and
>> yet retain the subtree properties similar to project id. The advantage
>> would be that if it can be done using only inode properties, then none
>> of the permission prototypes need change. The only real subtree
>> property we need is ability to bind into an unprivileged mount
>> namespace, but we already have that. The gotcha about marking inodes
>> is that they're all or nothing, so every subtree that gets access to
>> the inode inherits the mark. This means that we cannot allow a user
>> access to a marked inode without the cover of an unprivileged user
>> namespace, but I think that's fixable in the permission check
>> (basically if the inode is marked you *only* get access if you have a
>> user_ns != init_user_ns and we do the permission shifts or you have
>> user_ns == init_user_ns and you are admin capable).
>>
>
> I didn't follow, but it sounds like your proposed solutions is only
> good for single level of userns nesting.
> Do you think you can redefine it in terms of "container root projid".
>
Looks like all this started from mangling uid/gid or some other metadata.
As usual, I have to propose funny/insane solutions:
proxify filesystem with fuse and mangle everything in userspace.
Or add some kind of userspace-driver remapping/mangling into overlay,
for example using BPF script (I see it everywhere nowdays).
next prev parent reply other threads:[~2017-02-08 12:00 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-04 19:18 [RFC 0/1] shiftfs: uid/gid shifting filesystem (s_user_ns version) James Bottomley
2017-02-04 19:19 ` [RFC 1/1] shiftfs: uid/gid shifting bind mount James Bottomley
2017-02-05 7:51 ` Amir Goldstein
2017-02-06 1:18 ` James Bottomley
2017-02-06 6:59 ` Amir Goldstein
2017-02-06 14:41 ` James Bottomley
2017-02-14 23:03 ` Vivek Goyal
2017-02-14 23:45 ` James Bottomley
2017-02-15 14:17 ` Vivek Goyal
2017-02-16 15:51 ` James Bottomley
2017-02-16 16:42 ` Vivek Goyal
2017-02-16 16:58 ` James Bottomley
2017-02-17 1:57 ` Eric W. Biederman
2017-02-17 8:39 ` Djalal Harouni
2017-02-17 17:19 ` James Bottomley
2017-02-20 4:24 ` Eric W. Biederman
2017-02-22 12:01 ` James Bottomley
2017-02-06 3:25 ` J. R. Okajima
2017-02-06 6:38 ` Amir Goldstein
2017-02-06 16:29 ` James Bottomley
2017-02-06 6:46 ` James Bottomley
2017-02-06 14:50 ` Theodore Ts'o
2017-02-06 15:18 ` James Bottomley
2017-02-06 15:38 ` lkml
2017-02-06 17:32 ` James Bottomley
2017-02-06 21:52 ` J. Bruce Fields
2017-02-07 0:10 ` James Bottomley
2017-02-07 1:35 ` J. Bruce Fields
2017-02-07 19:01 ` James Bottomley
2017-02-07 19:47 ` Christoph Hellwig
2017-02-06 16:24 ` J. R. Okajima
2017-02-21 0:48 ` James Bottomley
2017-02-21 2:57 ` J. R. Okajima
2017-02-21 4:07 ` James Bottomley
2017-02-21 4:34 ` J. R. Okajima
2017-02-07 9:19 ` Christoph Hellwig
2017-02-07 9:39 ` Djalal Harouni
2017-02-07 9:53 ` Christoph Hellwig
2017-02-07 16:37 ` James Bottomley
2017-02-07 17:59 ` Amir Goldstein
2017-02-07 18:10 ` Christoph Hellwig
2017-02-07 19:02 ` James Bottomley
2017-02-07 19:49 ` Christoph Hellwig
2017-02-07 20:05 ` James Bottomley
2017-02-07 21:01 ` Amir Goldstein
2017-02-07 22:25 ` Christoph Hellwig
2017-02-07 23:42 ` James Bottomley
2017-02-08 6:44 ` Amir Goldstein
2017-02-08 11:45 ` Konstantin Khlebnikov [this message]
2017-02-08 14:57 ` James Bottomley
2017-02-08 15:15 ` James Bottomley
2017-02-08 1:54 ` Josh Triplett
2017-02-08 15:22 ` James Bottomley
2017-02-09 10:36 ` Josh Triplett
2017-02-09 15:34 ` James Bottomley
2017-02-13 10:15 ` Eric W. Biederman
2017-02-15 9:33 ` Djalal Harouni
2017-02-15 9:37 ` Eric W. Biederman
2017-02-15 10:04 ` Djalal Harouni
2017-02-07 18:20 ` James Bottomley
2017-02-07 19:48 ` Djalal Harouni
2017-02-15 20:34 ` Vivek Goyal
2017-02-16 15:56 ` James Bottomley
2017-02-17 2:55 ` Al Viro
2017-02-17 17:34 ` James Bottomley
2017-02-17 20:35 ` Vivek Goyal
2017-02-19 3:24 ` James Bottomley
2017-02-20 19:26 ` Vivek Goyal
2017-02-21 0:38 ` James Bottomley
2017-02-17 2:29 ` Al Viro
2017-02-17 17:24 ` James Bottomley
2017-02-17 17:51 ` Al Viro
2017-02-17 20:27 ` Vivek Goyal
2017-02-17 20:50 ` James Bottomley
-- strict thread matches above, loose matches on Subject: below --
2016-05-12 19:06 [RFC 0/1] shiftfs: uid/gid shifting filesystem James Bottomley
2016-05-12 19:07 ` [RFC 1/1] shiftfs: uid/gid shifting bind mount James Bottomley
2016-05-16 19:41 ` Serge Hallyn
2016-05-17 2:28 ` James Bottomley
2016-05-17 3:47 ` Serge E. Hallyn
2016-05-17 10:23 ` James Bottomley
2016-05-17 20:59 ` James Bottomley
2016-05-19 2:28 ` Serge E. Hallyn
2016-05-19 10:53 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e3ee0c34-9385-09d7-94fd-961a7a2f4f6a@yandex-team.ru \
--to=khlebnikov@yandex-team.ru \
--cc=James.Bottomley@hansenpartnership.com \
--cc=alban.crequy@gmail.com \
--cc=amir73il@gmail.com \
--cc=clm@fb.com \
--cc=dh.herrmann@googlemail.com \
--cc=dongsu@endocode.com \
--cc=ebiederm@xmission.com \
--cc=estesp@gmail.com \
--cc=hch@infradead.org \
--cc=josh@joshtriplett.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mszeredi@redhat.com \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
--cc=tixxdz@gmail.com \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.