From: Andy Lutomirski <luto@amacapital.net>
To: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Dave Chinner <david@fromorbit.com>, Jan Kara <jack@suse.cz>,
"linux-ext4@vger.kernel.org" <linux-ext4@vger.kernel.org>,
"Theodore Ts'o" <tytso@mit.edu>,
Dmitry Monakhov <dmonakhov@openvz.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Li Xi <pkuelelixi@gmail.com>
Subject: Re: [PATCH RFC v2 2/6] fs: protected project id
Date: Tue, 10 Mar 2015 11:57:01 -0700 [thread overview]
Message-ID: <CALCETrUb8JG6P2==M5d=XnhE-6Z04neo+_h3dtTP-ZyCmAkMnQ@mail.gmail.com> (raw)
In-Reply-To: <CALYGNiP0u51JVtAROdNpK5hYKHrtpT1WSyKS_tqxsTKZ7FWKvw@mail.gmail.com>
On Tue, Mar 10, 2015 at 11:51 AM, Konstantin Khlebnikov
<koct9i@gmail.com> wrote:
> On Tue, Mar 10, 2015 at 8:32 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>> On Tue, Mar 10, 2015 at 10:22 AM, Konstantin Khlebnikov
>> <khlebnikov@yandex-team.ru> wrote:
>>> Historically XFS project id doesn't have any permission control: file owner
>>> is able to set any project id. Later they was sealed with user-namespace:
>>> XFS allows to change it only from init user-ns. That works fine for isolated
>>> containers or if user doesn't have direct access to the filesystem (NFS/FTP).
>>>
>>> This patch adds sysctl fs.protected_projects which makes changing project id
>>> privileged operation which requires CAP_SYS_RESOURCE in current user-namespace.
>>> Thus there are two levels of protection: project id mapping in user-ns defines
>>> set of permitted projects and capability protects operations within this set.
>>
>> If I understand this right, this doesn't work. If I lack
>> CAP_SYS_RESOURCE but I have two projids mapped, then I can create a
>> new userns, map both projids, and get CAP_SYS_RESOURCE.
>
> Setting project id mapping for nested user-namespace also requires
> this capability in parent namespace. The same as for setting uid/gid
> mapping but without special case for mapping current uid/gid because
> task has no "current" project id.
>
> This is mentioned in cover letter but I forget it here. Sorry.
Right, sorry. I'm still used to projid mappings being unprotected.
--Andy
>
>>
>> --Andy
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Andy Lutomirski
AMA Capital Management, LLC
next prev parent reply other threads:[~2015-03-10 18:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-10 17:22 [PATCH RFC v2 0/6] ext4: yet another project quota Konstantin Khlebnikov
2015-03-10 17:22 ` [PATCH RFC v2 1/6] fs: vfs ioctls for managing project id Konstantin Khlebnikov
2015-03-11 7:00 ` Andreas Dilger
2015-03-11 7:19 ` Konstantin Khlebnikov
2015-03-10 17:22 ` [PATCH RFC v2 2/6] fs: protected " Konstantin Khlebnikov
2015-03-10 17:32 ` Andy Lutomirski
2015-03-10 18:51 ` Konstantin Khlebnikov
2015-03-10 18:57 ` Andy Lutomirski [this message]
2015-03-10 17:22 ` [PATCH RFC v2 3/6] quota: generic project quota Konstantin Khlebnikov
2015-03-10 17:22 ` [PATCH RFC v2 4/6] ext4: support project id and " Konstantin Khlebnikov
2015-03-10 17:22 ` [PATCH RFC v2 5/6] ext4: add shortcut for moving files across projects Konstantin Khlebnikov
2015-03-10 17:22 ` [PATCH RFC v2 6/6] ext4: mangle statfs results accourding to project quota usage and limits Konstantin Khlebnikov
2015-03-16 16:52 ` [PATCH RFC v2 0/6] ext4: yet another project quota Jan Kara
2015-03-17 5:40 ` Konstantin Khlebnikov
2015-03-19 9:16 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrUb8JG6P2==M5d=XnhE-6Z04neo+_h3dtTP-ZyCmAkMnQ@mail.gmail.com' \
--to=luto@amacapital.net \
--cc=david@fromorbit.com \
--cc=dmonakhov@openvz.org \
--cc=jack@suse.cz \
--cc=khlebnikov@yandex-team.ru \
--cc=koct9i@gmail.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pkuelelixi@gmail.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).