From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932941AbcGIHlN (ORCPT ); Sat, 9 Jul 2016 03:41:13 -0400 Received: from mail-db5eur01on0094.outbound.protection.outlook.com ([104.47.2.94]:34956 "EHLO EUR01-DB5-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751145AbcGIHlF (ORCPT ); Sat, 9 Jul 2016 03:41:05 -0400 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=avagin@virtuozzo.com; Date: Sat, 9 Jul 2016 00:26:28 -0700 From: Andrew Vagin To: "Eric W. Biederman" CC: James Bottomley , Linux API , Containers , lkml , , "Michael Kerrisk (man-pages)" Subject: Re: [CRIU] Introspecting userns relationships to other namespaces? Message-ID: <20160709072627.GA7480@outlook.office365.com> References: <20160706141348.GB20728@mail.hallyn.com> <871t36kbvq.fsf@x220.int.ebiederm.org> <20160708015758.GA10512@outlook.office365.com> <87vb0gy3nr.fsf@x220.int.ebiederm.org> <1467988533.2322.118.camel@HansenPartnership.com> <20160708203818.GA2602@outlook.office365.com> <5e4cc802-f0e0-4f4c-a2f7-585aaaa8feec@email.android.com> <87wpkvpu1i.fsf@x220.int.ebiederm.org> <1468023332.2390.10.camel@HansenPartnership.com> <87bn27o6j5.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Disposition: inline In-Reply-To: <87bn27o6j5.fsf@x220.int.ebiederm.org> User-Agent: Mutt/1.6.1 (2016-04-27) X-Originating-IP: [67.183.159.197] X-ClientProxiedBy: BY1PR10CA0002.namprd10.prod.outlook.com (10.160.197.12) To DB5PR0801MB1430.eurprd08.prod.outlook.com (10.167.229.18) X-MS-Office365-Filtering-Correlation-Id: 3583eb95-069e-48c4-29f0-08d3a7ca6374 X-Microsoft-Exchange-Diagnostics: 1;DB5PR0801MB1430;2:L+ys2cuUw89jLHtqht7jf9/P7UKTOK11zijv/CX/0M/GDlXskQc2V8ftmO6C5vbIDFmffbrm+94jU/YLEa6D8UJn98QgatLhW95J39bCxsdwMBDSuW+ZinhWP/x4f862z7y8PlTNnEWr3YS/wKhdv/GHkUdzuXvrnqXivjJXjTS3e+bfZ8IiEfetni2B5Znu;3:1dFfdrz2Th43mtNMTaK73Unkg5KGTJ8sWwLTTpL5O8WQokhxOupXDCh+i388oTZ/dMyT/0Ru/wRNWzAZ+deoQYpwyO20ZbIeZLGJN/ASWpBLAxOWtTCepUgwfJHDRDv+;25:vXSPSCKuYqnkcaiFMCB8VoqRxGO1hJdbwKh/1KYxgh2qHzOOdGgaH23si3CWt9e+rPnPqVFXUy5f6zgCm6/w5vQnXMLRUj+TCcJJ0a3TkNfkArLBbUvR0YUv6vsixxvut4Y567GwXwyntO7R2gTCiqEUXNqgT4wGzkXQCkkjcaFOMaQ08xYZL4kUbWJPoqxetEJla5/NsSJhYsLeA6qHfYiuMUMhAjwEl73YxfFSkAk9bqzEe/beKsyXfQD7TYWUuya+Q3t2R5jdQ3aXgLXtzO+UGAq2yp82i9pHXl/7b4e27ML3MUSxJD4JTRbQqiFVYPyP1LEdo5ei3B9meXJVXTsZBU+CJDkIWEHQ2YgN5VMFgbNfA3SvIQhe7B2fJxaAsD0QotxPvCzVlOf5YQROna2pXmToJzF2n+UQi4lIWtc= X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB5PR0801MB1430; X-Microsoft-Exchange-Diagnostics: 1;DB5PR0801MB1430;31:vp2vI1Gj9ptYgpchHDY1y57+u/J9uaonV7dD3HUa7xJ8byeMiF4NYEV6p/y/ZPmYee1r8eSze6oyVyFIWxbSId6FSxXIWAovoO5ANb146mPJkNq+7p94N8vpAq8qzcEb+mnZceamHA+lIN8wcUk/MbXTlitkqve9KHbslJy7yqyxrqH/Ry9NPmORLYwBJIXknV532HJQDgo+clg7kv61IQ==;4:kGo0eq0mi0rjFupY7jzeBn7JASGdOT3FSFutUaTrrHguESwEW2gdMGBKONVZuvlqkSN15lh6e2YTgT6umNn4AmakYfmAkfixNqWF7v21+M3oxS41MeOdyGnapI34m4o527lpQbyybrDwq3DB8Kup0ffbp+itpmghdPT79ig45i3aYYMqz0gsBsk3DeHmb2em5OIUQ90PLqs0v7EezVLwsAetQIHnpRLN4GhURM7TcomoIbM2omscot6hWzRzCx8ZuwQhtFYmuZJ3LgVMIF/6UysbMAyFVn5OHuIQrWJKJ74Z9fDRtA3iipEMinRQdx9WO3OFYZBIztUG6/izv0TvbBDKgA0eHTfj5nwGTAG8jCH8n9z9fXYyV6cD6np118GOnsOiIKgDVe7o7rohf12woyUqtr5gr7h3yXlFbaOP8e2zIqjXN3cDC1z2d4Pf2VM+HUPhxDntOK8BFl1VBQ4usIosjzo36kzJU8+XDi5cZnL7KWcpxli+GyZXkPzvI38hV0IsRYQIFgs5jUlgm3CX/CzZ/2/kwGpqNk1t9uijjOg= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(278428928389397)(192374486261705)(227817650892897); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040130)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6041072)(6043046);SRVR:DB5PR0801MB1430;BCL:0;PCL:0;RULEID:;SRVR:DB5PR0801MB1430; X-Forefront-PRVS: 0998671D02 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(4630300001)(6009001)(7916002)(377454003)(189002)(377424004)(24454002)(76104003)(199003)(50986999)(81166006)(8676002)(81156014)(101416001)(76176999)(54356999)(77096005)(69596002)(19580405001)(3846002)(19580395003)(6116002)(83506001)(2950100001)(586003)(7736002)(7846002)(305945005)(42186005)(92566002)(53416004)(66066001)(47776003)(97736004)(105586002)(4001350100001)(110136002)(189998001)(33656002)(106356001)(1076002)(23686003)(68736007)(50466002)(9686002)(86362001)(2906002)(4326007)(93886004)(18370500001)(26326002)(21314002);DIR:OUT;SFP:1102;SCL:1;SRVR:DB5PR0801MB1430;H:outlook.office365.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?koi8-r?Q?1;DB5PR0801MB1430;23:FcBSR4U5BKA/Yg+BnulXoB6pktEs3OfjAXIlERf7H?= =?koi8-r?Q?nDQ0hr7QrBJKF9cUuM5wyNaAUW+aphvk/NXjDnOr9+eNCDQ7M75DNlD6MndEQV?= =?koi8-r?Q?LracaStPD3r3NStAtvVzlUcUS3AfJ3G66f2GujjOU4XXjkR9US1zSzp3tmxYaD?= =?koi8-r?Q?OjZFLP5iRfdoRha4tVJtxlEMirAcpsPKiW5/Dchf9RW1OeTuoWkEg5/iRpYd/A?= =?koi8-r?Q?owBT/OPbMQCaiH0kDMcR5Mm5qxo4aD8qoPKCZAZvMg2KgexjIBCBMLJczxLBSF?= =?koi8-r?Q?4LFwlHoEvhXfjR5bYfC8r3oFW8uEgZo8TmigCyEAmZT0rhnRxooa9R3ew5iP08?= =?koi8-r?Q?ZkINBwkXKwQ5ZSOGS1lnUHT+BaMVHWRsRmDfVxqix51MmME6A61LxzwLuVVVky?= =?koi8-r?Q?08KzJ0EBb2wsbAtyNqPMI6QKglXp+AxAuZpXyQkMtnzqOYjvnBCSI1O2Y9ROSw?= =?koi8-r?Q?eOTkWyKd1QRFMzTX356k966sGmb7J68cR8Te9gZBOhW9hCW69O0YfOUF6VN2NA?= =?koi8-r?Q?LD7H+ba5ocdvOq67Wy4Va1kBEUnBX5RZtmUPOQvgwIDq58AOe1O+Fo8FqsGcNV?= =?koi8-r?Q?dElQOajJVGDnmlcotAGJ+dOa7jARUvq1uXGYNzkCmMEpeThNTp8qIhkCQxWP2B?= =?koi8-r?Q?W8707HWcjoL8Iyj0t8VxCvXAX9bXKl7dIJVK1/VY8nsAuvuIAmrqB4dOk4l+Ve?= =?koi8-r?Q?60YZhRPk0679rqAX1xo9cZIvqdRXah6aUZm3nzML+vKr1VyppYuAsYZu3EeJcd?= =?koi8-r?Q?m3rcSYWuNTN9AgQxKT4b2iyEkVCx+otkfXWAEAjQguDoKkbrMH5wjB4zFK4gz4?= =?koi8-r?Q?FimK0DzF8y+l4QVXYjx8f0htVngbXnc8mVZ6fInojH9WLtgK9IbqjgV9ZmZsCj?= =?koi8-r?Q?TxfMWN07VUlexTH2OuPoZ8UfcW5JDAaWQ9PFtCrZMJlSbuzD/5nHbeQIodspcU?= =?koi8-r?Q?N5lK1u/8IjlXis1alLar0llu2ghmNYjhs0qkg9OZm9o7TR3W/2Mz9NV8kT5qPB?= =?koi8-r?Q?J6D35axDqQ5IDyJFwGGM48Ga6L/x99QixD2cbVZ4PI1iZ8t6z+KZhIX9UqtXbH?= =?koi8-r?Q?QNxu11L/fZrYqdJoPPFYJCHF5bwi8oLjvsXLq8i3m5zfTTNlVpyFQUzJbQfsop?= =?koi8-r?Q?IbFnL1KAx/xXvBzxarlaiaKJdtCdnbBHzfHZ4B/Fo79a+AgcIlhn/Rbcepmj9r?= =?koi8-r?Q?WCnFAVZDjNmKilQUrnPvyBUSaGG1WzOWCgR9c7SXtJzEhW4MQO6HBovKxRck0P?= =?koi8-r?Q?0f/dk1s809CJAPKsH7lCw=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1;DB5PR0801MB1430;6:J1+1ImQjQsyaLf+dK9042w9dAeaFaThFOYz+vX2+95FylqxPh6J3MEzt73HhbsUY4/ciHDDWTvxlU9v7e7anFuBx+HQGwJGSXnOX1hafVTGNVwDTPcEQ9neDERgx/+BlaO3nR9Z9tmhXVSyA6TyIgjKQhdgMs65HgVm8aV1S0x5Z9/m845DXVw2yaH3+s1gJZqDM/+q2ubBBJwTZr3yIhot4pHvF01M2I8q78jeivNiK2Gqh0QQyv7Ef42icyvFe4C9aL0uo1hMeC7FfEP5F00k5U+6BT9zjyDJgIWTzh1PAon2P5bz1jBHyUa7a/gBu;5:F6RI7llnxMuy5gTbQCAtp36XqJQRW1fzZxfkwliIFO7GWrqGJThLW7ccF2F4ZzBoPaHRwFgCQ5dkI+rERmh9g7O1dmSYJ3I13Jwtca/twHuSpjmq2lVqVC4msJpjbwbj3F8gvyyhJUD/agz9BytdKg==;24:EGyZvh/mYU7IuFO/j1Z6lDJD//rVc219HzqtYkZRxzDedx5ywXtU68JAA2g7lbuA5rBFSiQQdbIAZz9LJxv6dq4wstrtwdzCQkiGxIw49eY=;7:ghxvazN5XjJtpzNhg/iSy6hu+uhVphJFue5+Tmdo1LP3pflwERGX7bNJ8ByJHMUPNxdHLfdZ8rCiE8/Or3TLNDgCZ+uY+m91ctvQICUFsI7SfSQP1jbIF8OTAS33yoMaRHZI9Uz0aqC80jPewrjAHO8YWZCN/tZuAEvmxiUo3CxaD5F4zSstfaQtUkUtWomurTfvQIweRRG9BjMnaOlskwND50aVH7PXfrKjF+cUzZJwFifXbkNKuynQsjUldn9J SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;DB5PR0801MB1430;20:k9B+JZhU1UhUOYvuWNb+OYcQBE9rBTL9Dq3BWEPafJ4NtobmB5efBdKn9gEPwK+E7nVRirtpnWTkgLKQX+XO6scRgvKHEYBIBir1mf1HIXJ3GV1uhP4rJE2gP988/bCVG3r2enbE1sGbazw9ZwD+tQbpvyD6V6mYBS2ezqT/8II= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jul 2016 07:26:46.5247 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR0801MB1430 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 08, 2016 at 10:05:18PM -0500, Eric W. Biederman wrote: > James Bottomley writes: > > > On Fri, 2016-07-08 at 18:52 -0500, Eric W. Biederman wrote: > >> James Bottomley writes: > >> > >> > On July 8, 2016 1:38:19 PM PDT, Andrew Vagin > >> > wrote: > >> > >> > > What do you think about the idea to mount nsfs and be able to > >> > > look up any alive namespace by inum: > >> > > >> > I think I like it. It will give us a way to enter any extant > >> > namespace. It will work for Eric's fs namespaces as well. Perhaps > >> > a /process/ns/ Directory? > > > > As you understood, I meant /proc/ns/ (damn mobile phone > > completions). > > > >> *Shivers* > >> > >> That makes it very easy to bypass any existing controls that exist > >> for getting at namespaces. It is true that everything of that kind > >> is directory based but still. > >> > >> Plus I think it would serve as information leak to information > >> outside of the container. > >> > >> An operation to get a user namespace file descriptor from some kernel > >> object sounds reasonably sane. > >> > >> A great big list of things sounds about as scary as it can get. This > >> is not the time to be making it easier to escape from containers. > > > > To be honest, I think this argument is rubbish. If we're afraid of > > giving out a list of all the namespaces, it means we're afraid there's > > some security bug and we're trying to obscure it by making the list > > hard to get. All we've done is allayed fears about the bug but the > > hackers still know the portals to get through. > > > > If such a bug exists, it will be possible to exploit it by simply > > reconstructing the information from the individual process directories, > > so obscurity doesn't protect us and all it does is give us a false > > sense of security. If such a bug doesn't exist, then all the security > > mechanisms currently in place (like no re-entry to prior namespace) > > should protect us and we can give out the list. > > > > Let's deal with the world as we'd like it to be (no obscure namespace > > bugs) and accept the consequences and the responsibility for fixing > > them if we turn out to be slightly incorrect. We'll end up in a far > > better place than security by obscurity would land us. > > No. That is not the fear. The permission checks on /proc/self/ns/xxx > are different than if the namespace is bind mounted somewhere. > > That was done deliberately and with a reasonable amount of forethought. > You are asking to throw those permission checks out. The answer is no. > > Furthermore there is a much clearer reason not to go with a list of all > namespaces. A list of all namespaces breaks CRIU. As you have described > it the list will change depending upon which machine you restore a > checkpoint on. I honestly don't know what kind of havoc that will cause > but it is certainly something we won't be able to checkpoint no matter > how hard we try. It's right. I hadn't thought about this. > > A global list of namespaces especially of the kind that you can open > and get a handle to the namespace is just not appropriate. > > I know inode numbers comes darn close to names but they aren't really > names and if it comes to it we can figure out how to preserve an > applications view of it all across a checkpoint/restart. So far it > hasn't proven necessary to preserve any inode numbers across > checkpoint/restart but again it is theoretically possible if it becomes > necessary. > > Throwing away checkpoint/restart support for the sake of > checkpoint/restart is a no-go. > > Containers fundamentally imply you don't have global visibility, > and that is a good thing. All these thoughts about security make me thinking that kcmp is what we should use here. It's maybe something like this: kcmp(pid1, pid2, KCMP_NS_USERNS, fd1, fd2) - to check if userns of the fd1 namepsace is equal to the fd2 userns kcmp(pid1, pid2, KCMP_NS_PARENT, fd1, fd2) - to check if a parent namespace of the fd1 pidns is equal to fd pidns. fd1 and fd2 is file descriptors to namespace files. So if we want to build a hierarchy, we need to collect all namespaces and then enumerate them to check dependencies with help of kcmp. > > Eric