From: "Serge E. Hallyn" <serge@hallyn.com>
To: Josef Bacik <josef@toxicpanda.com>
Cc: "Christian Brauner" <christian.brauner@ubuntu.com>,
"Stéphane Graber" <stgraber@ubuntu.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Aleksa Sarai" <cyphar@cyphar.com>,
"Jann Horn" <jannh@google.com>,
smbarber@chromium.org,
"Seth Forshee" <seth.forshee@canonical.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Alexey Dobriyan" <adobriyan@gmail.com>,
"Serge Hallyn" <serge@hallyn.com>,
"James Morris" <jmorris@namei.org>,
"Kees Cook" <keescook@chromium.org>,
"Jonathan Corbet" <corbet@lwn.net>,
"Phil Estes" <estesp@gmail.com>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
containers@lists.linux-foundation.org,
linux-security-module@vger.kernel.org, linux-api@vger.kernel.org,
mpawlowski@fb.com
Subject: Re: [PATCH v3 00/25] user_namespace: introduce fsid mappings
Date: Mon, 2 Mar 2020 08:34:05 -0600 [thread overview]
Message-ID: <20200302143405.GA25432@mail.hallyn.com> (raw)
In-Reply-To: <2b0fe94b-036a-919e-219b-cc1ba0641781@toxicpanda.com>
On Thu, Feb 27, 2020 at 02:33:04PM -0500, Josef Bacik wrote:
> On 2/18/20 9:33 AM, Christian Brauner wrote:
> > Hey everyone,
> >
> > This is v3 after (off- and online) discussions with Jann the following
> > changes were made:
> > - To handle nested user namespaces cleanly, efficiently, and with full
> > backwards compatibility for non fsid-mapping aware workloads we only
> > allow writing fsid mappings as long as the corresponding id mapping
> > type has not been written.
> > - Split the patch which adds the internal ability in
> > kernel/user_namespace to verify and write fsid mappings into tree
> > patches:
> > 1. [PATCH v3 04/25] fsuidgid: add fsid mapping helpers
> > patch to implement core helpers for fsid translations (i.e.
> > make_kfs*id(), from_kfs*id{_munged}(), kfs*id_to_k*id(),
> > k*id_to_kfs*id()
> > 2. [PATCH v3 05/25] user_namespace: refactor map_write()
> > patch to refactor map_write() in order to prepare for actual fsid
> > mappings changes in the following patch. (This should make it
> > easier to review.)
> > 3. [PATCH v3 06/25] user_namespace: make map_write() support fsid mappings
> > patch to implement actual fsid mappings support in mape_write()
> > - Let the keyctl infrastructure only operate on kfsid which are always
> > mapped/looked up in the id mappings similar to what we do for
> > filesystems that have the same superblock visible in multiple user
> > namespaces.
> >
> > This version also comes with minimal tests which I intend to expand in
> > the future.
> >
> > From pings and off-list questions and discussions at Google Container
> > Security Summit there seems to be quite a lot of interest in this
> > patchset with use-cases ranging from layer sharing for app containers
> > and k8s, as well as data sharing between containers with different id
> > mappings. I haven't Cced all people because I don't have all the email
> > adresses at hand but I've at least added Phil now. :)
> >
> I put this into a kernel for our container guys to mess with in order to
> validate it would actually be useful for real world uses. I've cc'ed the
> guy who did all of the work in case you have specific questions.
>
> Good news is the interface is acceptable, albeit apparently the whole user
> ns interface sucks in general. But you haven't made it worse, so success!
Well I very much disagree here :) With the first part! But I do
understand the shortcomings. Anyway,
I still hope we get to talk about this in person, but IMO this is the
right approach (this being - thinking about how to make the uid mappings
more flexible without making them too complicated to be safe to use),
but a bit too static in terms of target. There are at least two ways
that I could see usefully generalizing it
From a user space pov, the following goal is indespensible (for my use
cases): that the fsuid be selectable based on fs, mountpoint, or file
context (as in selinux).
From a userns pov, one way to look at it is this: when task t1 signals
task t2, it's not only t1's namespace that's considered when filling in
the sender uid, but also t2's. Likewise, when writing a file, we should
consider both t1's fsuid+userns, and the file's, mount's, or filesystem's
userns.
From that POV, your patch is a step in the right direction and could be
taken as is (modulo any tmpfs fix Josef needs :) From there I would
propose adding a 'userns=<uidnsfd>' bind mount option, so we could create
an empty userns with the desired mapping (subject to permissions granted
by subuids), get an fd to the uidns, and say
mount --bind -o uidns=5 /shared /containers/c1/mnt/shared
So now when I write a file /etc/hosts as container fsuid 0, it'll be
subject to the container rootfs mount's uid mapping, presumably
100000. When I write /mnt/shared/hello, it'll be subject to the mount's
uid mapping, which might be 1000.
-serge
prev parent reply other threads:[~2020-03-02 14:34 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-18 14:33 [PATCH v3 00/25] user_namespace: introduce fsid mappings Christian Brauner
2020-02-18 14:33 ` [PATCH v3 01/25] user_namespace: introduce fsid mappings infrastructure Christian Brauner
2020-02-19 2:33 ` Serge E. Hallyn
2020-02-18 14:33 ` [PATCH v3 02/25] proc: add /proc/<pid>/fsuid_map Christian Brauner
2020-02-19 2:33 ` Serge E. Hallyn
2020-02-18 14:33 ` [PATCH v3 03/25] proc: add /proc/<pid>/fsgid_map Christian Brauner
2020-02-19 2:33 ` Serge E. Hallyn
2020-02-18 14:33 ` [PATCH v3 04/25] fsuidgid: add fsid mapping helpers Christian Brauner
2020-02-18 14:33 ` [PATCH v3 05/25] user_namespace: refactor map_write() Christian Brauner
2020-02-19 2:35 ` Serge E. Hallyn
2020-02-18 14:33 ` [PATCH v3 06/25] user_namespace: make map_write() support fsid mappings Christian Brauner
2020-02-19 16:18 ` Jann Horn
2020-02-18 14:33 ` [PATCH v3 07/25] proc: task_state(): use from_kfs{g,u}id_munged Christian Brauner
2020-02-19 2:36 ` Serge E. Hallyn
2020-02-18 14:33 ` [PATCH v3 08/25] cred: add kfs{g,u}id Christian Brauner
2020-02-18 14:33 ` [PATCH v3 09/25] fs: add is_userns_visible() helper Christian Brauner
2020-02-19 2:42 ` Serge E. Hallyn
2020-02-19 12:06 ` Christian Brauner
2020-02-19 17:18 ` Andy Lutomirski
2020-02-20 14:26 ` Serge E. Hallyn
2020-02-18 14:33 ` [PATCH v3 10/25] namei: may_{o_}create(): handle fsid mappings Christian Brauner
2020-02-18 14:33 ` [PATCH v3 11/25] inode: inode_owner_or_capable(): " Christian Brauner
2020-02-18 22:25 ` Christoph Hellwig
2020-02-19 12:29 ` Christian Brauner
2020-02-18 14:33 ` [PATCH v3 12/25] capability: privileged_wrt_inode_uidgid(): " Christian Brauner
2020-02-18 14:33 ` [PATCH v3 13/25] stat: " Christian Brauner
2020-02-18 14:34 ` [PATCH v3 14/25] open: " Christian Brauner
2020-02-18 14:34 ` [PATCH v3 15/25] posix_acl: " Christian Brauner
2020-02-18 22:26 ` Christoph Hellwig
2020-02-19 12:56 ` Christian Brauner
2020-02-18 14:34 ` [PATCH v3 16/25] attr: notify_change(): " Christian Brauner
2020-02-18 14:34 ` [PATCH v3 17/25] commoncap: cap_bprm_set_creds(): " Christian Brauner
2020-02-18 14:34 ` [PATCH v3 18/25] commoncap: cap_task_fix_setuid(): " Christian Brauner
2020-02-18 14:34 ` [PATCH v3 19/25] commoncap: handle fsid mappings with vfs caps Christian Brauner
2020-02-19 15:53 ` Jann Horn
2020-02-18 14:34 ` [PATCH v3 20/25] exec: bprm_fill_uid(): handle fsid mappings Christian Brauner
2020-02-18 14:34 ` [PATCH v3 21/25] ptrace: adapt ptrace_may_access() to always uses unmapped fsids Christian Brauner
2020-02-18 14:34 ` [PATCH v3 22/25] devpts: handle fsid mappings Christian Brauner
2020-02-18 14:34 ` [PATCH v3 23/25] keys: " Christian Brauner
2020-02-18 14:34 ` [PATCH v3 24/25] sys: handle fsid mappings in set*id() calls Christian Brauner
2020-02-19 15:42 ` Jann Horn
2020-02-18 14:34 ` [PATCH v3 25/25] selftests: add simple fsid mapping selftests Christian Brauner
2020-02-18 23:50 ` [PATCH v3 00/25] user_namespace: introduce fsid mappings James Bottomley
2020-02-19 12:27 ` Christian Brauner
2020-02-19 15:36 ` James Bottomley
2020-02-19 15:33 ` Jann Horn
2020-02-19 19:35 ` Serge E. Hallyn
2020-02-19 21:48 ` Serge E. Hallyn
2020-02-19 21:56 ` Tycho Andersen
2020-02-27 19:33 ` Josef Bacik
2020-03-02 14:34 ` Serge E. Hallyn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200302143405.GA25432@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=adobriyan@gmail.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux-foundation.org \
--cc=corbet@lwn.net \
--cc=cyphar@cyphar.com \
--cc=ebiederm@xmission.com \
--cc=estesp@gmail.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=josef@toxicpanda.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mpawlowski@fb.com \
--cc=seth.forshee@canonical.com \
--cc=smbarber@chromium.org \
--cc=stgraber@ubuntu.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).