Re: [CRIU] Introspecting userns relationships to other namespaces?

From: Eric W. Biederman
Date: Fri Jul 08 2016 - 20:04:48 EST

Next message: John Stultz: "Re: [PATCH] device-tree: nexus7: Set phy mode to otg instead of host"
Previous message: Vivien Didelot: "Re: [PATCH net-next 6/9] net: dsa: mv88e6xxx: rework Switch MAC setter"
In reply to: James Bottomley: "Re: [CRIU] Introspecting userns relationships to other namespaces?"
Next in thread: James Bottomley: "Re: [CRIU] Introspecting userns relationships to other namespaces?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> writes:

> On July 8, 2016 1:38:19 PM PDT, Andrew Vagin <avagin@xxxxxxxxxxxxx> wrote:

>>What do you think about the idea to mount nsfs and be able to look up
>>any alive namespace by inum:
>
> I think I like it. It will give us a way to enter any extant
> namespace. It will work for Eric's fs namespaces as well. Perhaps a
> /process/ns/<inum> Directory?

*Shivers*

That makes it very easy to bypass any existing controls that exist for
getting at namespaces. It is true that everything of that kind is
directory based but still.

Plus I think it would serve as information leak to information outside
of the container.

An operation to get a user namespace file descriptor from some kernel
object sounds reasonably sane.

A great big list of things sounds about as scary as it can get. This is
not the time to be making it easier to escape from containers.

Eric

Next message: John Stultz: "Re: [PATCH] device-tree: nexus7: Set phy mode to otg instead of host"
Previous message: Vivien Didelot: "Re: [PATCH net-next 6/9] net: dsa: mv88e6xxx: rework Switch MAC setter"
In reply to: James Bottomley: "Re: [CRIU] Introspecting userns relationships to other namespaces?"
Next in thread: James Bottomley: "Re: [CRIU] Introspecting userns relationships to other namespaces?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]