From: Ian Kent <ikent@redhat.com>
To: Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: "J. Bruce Fields" <bfields@fieldses.org>,
Oleg Nesterov <onestero@redhat.com>,
Stanislav Kinsbursky <skinsbursky@parallels.com>,
Trond Myklebust <trond.myklebust@primarydata.com>,
David Howells <dhowells@redhat.com>,
Benjamin Coddington <bcodding@redhat.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [RFC PATCH 0/4] Namespace contrained helper execution
Date: Tue, 25 Nov 2014 09:07:13 +0800 [thread overview]
Message-ID: <20141125005255.4974.54193.stgit@pluto.fritz.box> (raw)
Hi all,
Some time ago an attempt was made to update call_usermodehelper()
to execute within it's namespace.
Comments at the time were basically that the approach didn't go
nearly far enough to constrain the process.
This series attempts to remedy that by taking care to create an
appropriate namespace environment then switch to it and setup
fs_struct for path walking prior to the user mode helper thread
runner calling do_execve().
Please review and comment on the patch series.
Ian
---
Benjamin Coddington (1):
KEYS: exec request-key within the requesting task's namespace
Ian Kent (3):
vfs - fs/namespaces.c: break out mntns_setfs() from mntns_install()
nsproxy - make create_new_namespaces() non-static
kmod - add call_usermodehelper_ns() helper
fs/namespace.c | 41 ++++++++++++++++++++++++++++-----------
include/linux/kmod.h | 17 ++++++++++++++++
include/linux/mount.h | 1 +
include/linux/nsproxy.h | 3 +++
kernel/kmod.c | 39 +++++++++++++++++++++++++++++++++++++
kernel/nsproxy.c | 2 +-
security/keys/request_key.c | 45 +++++++++++++++++++++++++++++++++++++------
7 files changed, 129 insertions(+), 19 deletions(-)
--
Signature
next reply other threads:[~2014-11-25 1:07 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-25 1:07 Ian Kent [this message]
2014-11-25 1:07 ` [RFC PATCH 1/4] vfs - fs/namespaces.c: break out mntns_setfs() from mntns_install() Ian Kent
2014-11-25 1:07 ` [RFC PATCH 2/4] nsproxy - make create_new_namespaces() non-static Ian Kent
2014-11-25 1:07 ` [RFC PATCH 3/4] kmod - add call_usermodehelper_ns() helper Ian Kent
2014-11-25 21:52 ` Oleg Nesterov
2014-11-25 22:06 ` Oleg Nesterov
2014-11-25 22:23 ` Eric W. Biederman
2014-11-25 23:07 ` Ian Kent
2014-11-25 23:19 ` Eric W. Biederman
2014-11-25 23:50 ` Ian Kent
2014-11-26 0:44 ` Ian Kent
2014-11-26 1:38 ` Eric W. Biederman
2014-12-01 21:56 ` Benjamin Coddington
2014-12-02 23:33 ` Ian Kent
2014-12-03 16:49 ` Eric W. Biederman
2014-12-03 18:14 ` Benjamin Coddington
2014-12-03 22:53 ` Ian Kent
2014-12-03 23:34 ` Ian Kent
2014-11-25 23:14 ` Ian Kent
2014-11-26 11:46 ` David Howells
2014-11-26 15:00 ` Eric W. Biederman
2014-11-26 22:57 ` J. Bruce Fields
2014-11-25 22:36 ` Ian Kent
2014-11-25 23:27 ` Eric W. Biederman
2014-11-28 0:19 ` Ian Kent
2014-11-27 1:30 ` Oleg Nesterov
2014-11-25 1:07 ` [RFC PATCH 4/4] KEYS: exec request-key within the requesting task's namespace Ian Kent
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141125005255.4974.54193.stgit@pluto.fritz.box \
--to=ikent@redhat.com \
--cc=bcodding@redhat.com \
--cc=bfields@fieldses.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=onestero@redhat.com \
--cc=skinsbursky@parallels.com \
--cc=trond.myklebust@primarydata.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).