Keyrings, user namespaces and the user_struct
James Bottomley
James.Bottomley at HansenPartnership.com
Tue Oct 25 16:56:45 UTC 2016
On Tue, 2016-10-25 at 17:53 +0100, David Howells wrote:
> David Howells <dhowells at redhat.com> wrote:
>
> > (2) If a process's user_namespace doesn't match that recorded in a
> > key then
> > it gets ENOKEY if it tries to refer to it or access it and
> > can't see it
> > in /proc/keys.
>
> There's another possibility here - since user_namespaces are
> hierarchical, does it make sense to let a process see keys that are
> in an ancestral namespace?
I think that should be the decision of the owner. If you're creating a
userns to de-privilege the next user, likely you don't want this, but
if you're creating a userns to enhance it, then you do.
I think you want to behave exactly as the mount namespace does: on
initial clone, you get a fully cloned mount tree and then you customise
it by unmounting pieces.
James
More information about the Containers
mailing list