Keys and namespaces

David Howells dhowells at redhat.com
Fri Oct 10 05:58:23 PDT 2008


On the subject of namespaces: I still need to look at providing a key ID and
keyring name namespace.

Is it worth me just using the user_namespace?  A number of parameters are
per-UID (such as the key quotas), so it might very well make sense to do that.

That way, user_namespace could actually be a credentials namespace.

If that is the case, CLONE_NEWUSER should also set up (clone?) the keys and
keyrings attached to the parent.  This possibly needs to be done anyway as the
keys have UID and GID references that may be invalid in the new namespace.

How do the UIDs and GIDs in different namespaces map, anyway?

Furthermore, some keys may actually represent foreign user details; perhaps
NTFS or CIFS user IDs for example.  Should those be discarded on CLONE_NEWUSER?

David


More information about the Containers mailing list