linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ian Kent <ikent@redhat.com>
To: Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: "J. Bruce Fields" <bfields@fieldses.org>,
	Oleg Nesterov <onestero@redhat.com>,
	Stanislav Kinsbursky <skinsbursky@parallels.com>,
	Trond Myklebust <trond.myklebust@primarydata.com>,
	David Howells <dhowells@redhat.com>,
	Benjamin Coddington <bcodding@redhat.com>,
	Al Viro <viro@ZenIV.linux.org.uk>,
	"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [RFC PATCH 0/4] Namespace contrained helper execution
Date: Tue, 25 Nov 2014 09:07:13 +0800	[thread overview]
Message-ID: <20141125005255.4974.54193.stgit@pluto.fritz.box> (raw)

Hi all,

Some time ago an attempt was made to update call_usermodehelper()
to execute within it's namespace.

Comments at the time were basically that the approach didn't go
nearly far enough to constrain the process.

This series attempts to remedy that by taking care to create an
appropriate namespace environment then switch to it and setup
fs_struct for path walking prior to the user mode helper thread
runner calling do_execve().

Please review and comment on the patch series.
Ian

---

Benjamin Coddington (1):
      KEYS: exec request-key within the requesting task's namespace

Ian Kent (3):
      vfs - fs/namespaces.c: break out mntns_setfs() from mntns_install()
      nsproxy - make create_new_namespaces() non-static
      kmod - add call_usermodehelper_ns() helper


 fs/namespace.c              |   41 ++++++++++++++++++++++++++++-----------
 include/linux/kmod.h        |   17 ++++++++++++++++
 include/linux/mount.h       |    1 +
 include/linux/nsproxy.h     |    3 +++
 kernel/kmod.c               |   39 +++++++++++++++++++++++++++++++++++++
 kernel/nsproxy.c            |    2 +-
 security/keys/request_key.c |   45 +++++++++++++++++++++++++++++++++++++------
 7 files changed, 129 insertions(+), 19 deletions(-)

--
Signature

             reply	other threads:[~2014-11-25  1:07 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-25  1:07 Ian Kent [this message]
2014-11-25  1:07 ` [RFC PATCH 1/4] vfs - fs/namespaces.c: break out mntns_setfs() from mntns_install() Ian Kent
2014-11-25  1:07 ` [RFC PATCH 2/4] nsproxy - make create_new_namespaces() non-static Ian Kent
2014-11-25  1:07 ` [RFC PATCH 3/4] kmod - add call_usermodehelper_ns() helper Ian Kent
2014-11-25 21:52   ` Oleg Nesterov
2014-11-25 22:06     ` Oleg Nesterov
2014-11-25 22:23       ` Eric W. Biederman
2014-11-25 23:07         ` Ian Kent
2014-11-25 23:19           ` Eric W. Biederman
2014-11-25 23:50             ` Ian Kent
2014-11-26  0:44               ` Ian Kent
2014-11-26  1:38               ` Eric W. Biederman
2014-12-01 21:56                 ` Benjamin Coddington
2014-12-02 23:33                   ` Ian Kent
2014-12-03 16:49                     ` Eric W. Biederman
2014-12-03 18:14                       ` Benjamin Coddington
2014-12-03 22:53                       ` Ian Kent
2014-12-03 23:34                       ` Ian Kent
2014-11-25 23:14       ` Ian Kent
2014-11-26 11:46       ` David Howells
2014-11-26 15:00         ` Eric W. Biederman
2014-11-26 22:57           ` J. Bruce Fields
2014-11-25 22:36     ` Ian Kent
2014-11-25 23:27       ` Eric W. Biederman
2014-11-28  0:19         ` Ian Kent
2014-11-27  1:30       ` Oleg Nesterov
2014-11-25  1:07 ` [RFC PATCH 4/4] KEYS: exec request-key within the requesting task's namespace Ian Kent

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141125005255.4974.54193.stgit@pluto.fritz.box \
    --to=ikent@redhat.com \
    --cc=bcodding@redhat.com \
    --cc=bfields@fieldses.org \
    --cc=dhowells@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=onestero@redhat.com \
    --cc=skinsbursky@parallels.com \
    --cc=trond.myklebust@primarydata.com \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).