Containers don't handle keys, but should they?
Serge E. Hallyn
serue at us.ibm.com
Fri Mar 14 09:17:11 PDT 2008
Quoting David Howells (dhowells at redhat.com):
> Serge E. Hallyn <serue at us.ibm.com> wrote:
>
> > It looks like maybe just adding a struct user_namespace * to a struct key
> > should suffice.
>
> That's not quite sufficient. The per-UID key_user structs also need to be
> differentiated. Unfortunately, I can't just merge it into user_struct as I
> then end up with a reference loop user_struct -> uid_keyring -> user_struct.
>
> Rooting the key_user trees in user_namespace will probably do the trick.
>
> A couple of questions:
>
> (1) A process may inherit a session keyring over clone(). Should this be
> discarded if CLONE_NEWUSER is set? Or would I need to copy it?
Someone else may have stronger feelings about this. Personally so long
as a container setup program has a way of discarding the keyring
manually I think that's fine.
> (2) In a recent patch, I've given the root user its own quota limits. Is UID
> 0 always the root user in any container? Or would it make more sense
> just to scrap the per-root quota limits?
Yeah uid 0 may not have a bunch of privileges, but it is still the root
user.
thanks,
-serge
More information about the Containers
mailing list