linux-security-module January 2008 archive
Main Archive Page > Month Archives  > linux-security-module archives
linux-security-module: Re: [PATCH 0/4] user namespaces: introduc

Re: [PATCH 0/4] user namespaces: introduction

From: Daniel Hokka Zakrisson <daniel_at_nospam>
Date: Mon Jan 28 2008 - 19:24:24 GMT
To: "Serge E. Hallyn" <serue@us.ibm.com>


Serge E. Hallyn wrote:
> Here is a small patchset I've been sitting on for awhile
> to make signaling mostly subject to user namespaces. In
> particular,
>
> 1. store user_namespace in user struct
> 2. introduce CAP_NS_OVERRIDE
> 3. require CAP_NS_OVERRIDE to signal another user namespace
>
> The first step should have been done all along. Else wouldn't
> a hash collision on (ns1, uid) and (ns2, uid), however unlikely,
> give us wrong results at uid_hash_find()?

Unless I've completely misunderstood the code, each namespace has a separate hash. Please correct me if I'm wrong.

> The main remaining signaling+userns issue is of course the
> siginfo. Tacking a userns onto siginfo is a pain due to
> lifetime mgmt issues. I haven't decided whether to just
> catch all the callers and fake uid=0 if user namespaces
> aren't the same, introduce some unique non-refcounted id to
> represent (user,user_ns), or find some other way to deal with
> it.
>
> thanks,
> -serge
-- Daniel Hokka Zakrisson - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html