Re: [GIT PULL] user namespace enhancements for Linux 3.5-rc1

From: Serge Hallyn
Date: Sat May 26 2012 - 19:59:02 EST

Next message: Greg KH: "Re: [ 13/54] net: In unregister_netdevice_notifier unregister thenetdevices."
Previous message: Andrea Arcangeli: "Re: mm: kernel BUG at mm/memory.c:1230"
In reply to: Eric W. Biederman: "Re: [GIT PULL] user namespace enhancements for Linux 3.5-rc1"
Next in thread: richard -rw- weinberger: "Re: [GIT PULL] user namespace enhancements for Linux 3.5-rc1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original message -----
> Colin Walters <walters@xxxxxxxxxx> writes:
>
> > On Tue, 2012-05-22 at 12:48 -0600, Eric W. Biederman wrote:
> >
> > > My git tree covers all of the modifications needed to convert the
> > > core kernel and enough changes to make a system bootable to runlevel
> > > 1.
> >
> > What system?Â I'm curious about the state of your userspace
> > modifications.
>
> Debian.
>
> Userspace won't need any modifications to work, but I am slowly working
> through the patches needed to get everything in the kernel converted.
> And my patches for the networking stack weren't quite ready for the
> merge window.
>
> Ultimately to be included in distro kernels and really be useful I need
> to make everything in the kernel that plays with uids and gids user
> namespace aware so that is my goal for the next merge window.Â We will
> see how that goes.
>
> As for patches to userspace, all I think I will need is a small change
> to useradd, and perhaps a helper function to validate the mapping into
> the initial user namespace's uids. Aka is user A allowed to use uids
> 100,000-110,000?

To elaborate, remember uids in a user ns each map to a uid on the host (to be precise, in the initial userns). Mapping to a uid on the host takes privilege. So a setuid tool (i have a poc coded) checks a /etc file to see whether the host uids requested by an unprivileged user are allowed to him. The useradd patch would be to fascilitate filling in ranges in that /etc file when the user is created. So serge may get 100000-109999, joe 110000-119999, etc.

Nothing is needed in userspace just to boot a system with a user-ns-enabled kernel, or to have root use user namespaces (other than something to call clone with CLONE_NEWUSER).

> I have a branch in my user-namespace.git with all of the rest of my
> kernel changes if you want to play.Â Beyond that I expect most of the
> user space changes (useradd etc) to land in ubuntu fairly shortly
> after they are viable as I am working closely with a couple folks
> at ubunut.
>
> Eric
>
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel"
> in the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info atÂ http://vger.kernel.org/majordomo-info.html
> Please read the FAQ atÂ http://www.tux.org/lkml/

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "Re: [ 13/54] net: In unregister_netdevice_notifier unregister thenetdevices."
Previous message: Andrea Arcangeli: "Re: mm: kernel BUG at mm/memory.c:1230"
In reply to: Eric W. Biederman: "Re: [GIT PULL] user namespace enhancements for Linux 3.5-rc1"
Next in thread: richard -rw- weinberger: "Re: [GIT PULL] user namespace enhancements for Linux 3.5-rc1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]