Containers don't handle keys, but should they?

David Howells dhowells at redhat.com
Fri Mar 14 08:49:20 PDT 2008


Serge E. Hallyn <serue at us.ibm.com> wrote:

> It looks like maybe just adding a struct user_namespace * to a struct key
> should suffice.

That's not quite sufficient.  The per-UID key_user structs also need to be
differentiated.  Unfortunately, I can't just merge it into user_struct as I
then end up with a reference loop user_struct -> uid_keyring -> user_struct.

Rooting the key_user trees in user_namespace will probably do the trick.

A couple of questions:

 (1) A process may inherit a session keyring over clone().  Should this be
     discarded if CLONE_NEWUSER is set?  Or would I need to copy it?

 (2) In a recent patch, I've given the root user its own quota limits.  Is UID
     0 always the root user in any container?  Or would it make more sense
     just to scrap the per-root quota limits?

David


More information about the Containers mailing list