[PATCH 1/1] RFC: taking a crack at targeted capabilities

Serge E. Hallyn serue at us.ibm.com
Sun Feb 14 20:05:29 PST 2010


Quoting Eric W. Biederman (ebiederm at xmission.com):
> "Serge E. Hallyn" <serue at us.ibm.com> writes:
> 
> > So i was thinking about how to safely but incrementally introduce
> > targeted capabilities - which we decided was a prereq to making VFS
> > handle user namespaces - and the following seemed doable.  My main
> > motivations were (in order):
> >
> >         1. don't make any unconverted capable() checks unsafe
> >         2. minimize performance impact on non-container case
> >         3. minimize performance impact on containers
> 
> My motivation is a bit different.  I would like to get to the
> unprivileged creation of new namespaces.  It looks like this gets us
> 90% of the way there, with only potential uid confusion issues left.

Just a pair of instances of uid comparison are now addressed in

	http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/sergeh/linux-cr.git;a=shortlog;h=refs/heads/feb13.userns.uid_equivs

which has your patch "taking a crack at targeted capabilities" at its
core.  Talk about your baby steps...  But I need to go back and re-read
what we'd discussed over the last few years about how we wanted to
tag superblocks/mounts->inodes before I go on.

Anyway now uid equivalence checks are ns-aware for basic vfs_permission
and task kill at least.  It's a start.

-serge


More information about the Containers mailing list