Re: [PATCH v2] xattr: Enable security.capability in user namespaces

From: Stefan Berger
Date: Tue Jul 18 2017 - 08:12:42 EST

Next message: Ingo Molnar: "Re: perf: bisected sampling bug in Linux 4.11-rc1"
Previous message: Paul Kocialkowski: "Re: [PATCH] drm/i915: Synchronize connectors states when switching from poll to irq"
In reply to: James Morris: "Re: [PATCH v2] xattr: Enable security.capability in user namespaces"
Next in thread: Eric W. Biederman: "Re: [PATCH v2] xattr: Enable security.capability in user namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 07/18/2017 03:01 AM, James Morris wrote:

On Thu, 13 Jul 2017, Stefan Berger wrote:

A file shared by 2 containers, one mapping root to uid=1000, the other mapping
root to uid=2000, will show these two xattrs on the host (init_user_ns) once
these containers set xattrs on that file.

I may be missing something here, but what happens when say the uid=2000
container and associated user is deleted from the system, then another is
created with the same uid?

Won't this mean that you have unexpected capabilities turning up in the
new container?

Yes, that's right. I don't know any solution for that. We would have to walk the filesystems and find all 'stale' xattrs with such a uid. This is independent of whether the uid is encoded on the name side, as in this patch, or on the value side, as in Serge's original proposal. And uids of a mapped container root user don't necessarily have to have an account on the host so that an account deletion could trigger that.

Stefan

Next message: Ingo Molnar: "Re: perf: bisected sampling bug in Linux 4.11-rc1"
Previous message: Paul Kocialkowski: "Re: [PATCH] drm/i915: Synchronize connectors states when switching from poll to irq"
In reply to: James Morris: "Re: [PATCH v2] xattr: Enable security.capability in user namespaces"
Next in thread: Eric W. Biederman: "Re: [PATCH v2] xattr: Enable security.capability in user namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]