Serge E. Hallyn | 5 May 17:20 2016

[PATCH] mountinfo: implement show_path for kernfs and cgroup

Short explanation:

When showing a cgroupfs entry in mountinfo, show the path of the mount
root dentry relative to the reader's cgroup namespace root.

Long version:

When a uid 0 task which is in freezer cgroup /a/b, unshares a new cgroup
namespace, and then mounts a new instance of the freezer cgroup, the new
mount will be rooted at /a/b.  The root dentry field of the mountinfo
entry will show '/a/b'.

 cat > /tmp/do1 << EOF
 mount -t cgroup -o freezer freezer /mnt
 grep freezer /proc/self/mountinfo
 EOF

 unshare -Gm  bash /tmp/do1
 > 330 160 0:34 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime - cgroup cgroup rw,freezer
 > 355 133 0:34 /a/b /mnt rw,relatime - cgroup freezer rw,freezer

The task's freezer cgroup entry in /proc/self/cgroup will simply show
'/':

 grep freezer /proc/self/cgroup
 9:freezer:/

If instead the same task simply bind mounts the /a/b cgroup directory,
the resulting mountinfo entry will again show /a/b for the dentry root.
However in this case the task will find its own cgroup at /mnt/a/b,
(Continue reading)

Eric W. Biederman | 4 May 17:02 2016

Re: Unprivileged containers and co-ordinating user namespaces

James Bottomley <James.Bottomley <at> HansenPartnership.com> writes:

> On Thu, 2016-04-28 at 16:00 -0700, W. Trevor King wrote:
>> On Thu, Apr 28, 2016 at 03:02:08PM -0700, James Bottomley wrote:
>> > /etc/usernamespaces
>> > 
>> > and the format be :::
>> > 
>> > …
>> > 
>> > If this sounds OK to people, I can code up a utility that does this,
>> > which should probably belong in util-linux.
>> 
>> This sounds a lot like shadow's newuidmap and newgidmap [1,2,3].
>> 
>> Cheers,
>> Trevor
>> 
>> [1]: https://github.com/shadow-maint/shadow/commit/673c2a6f9aa6c69588f4c1be08589b8d3475a520
>> [2]: http://man7.org/linux/man-pages/man1/newuidmap.1.html
>> [3]: http://man7.org/linux/man-pages/man5/subuid.5.html
>
> I think that mostly works.  No-one's packaging it yet, which is why I
> didn't notice.  It also looks like the build dependencies have vastly
> expanded, so I can't get it to build in the build service yet.

Both Fedora and Ubuntu should be packaging it.  Further Docker should
already be using these files.

> It looks like the only addition it needs is the setgroups flag for
(Continue reading)

James Bottomley | 3 May 20:20 2016

bind mounting namespace inodes for unprivileged users

Right at the moment, unprivileged users cannot call mount --bind to
create a permanent copy of any of their namespaces.  This is annoying
because it means that for entry to long running containers you have to
spawn an undying process and use nsenter via the /proc/≤pid>/ns files.

The first question is:  assuming we restrict it to bind mounting only
nsfs inodes, is there any reason an unprivileged user shouldn't be able
to bind a namespace they've created to a file they own in the initial
mount namespace?

Assuming the answer to this is no, then how to implement it becomes the
next problem.  Right at the moment, util-linux/mount will deny a non
-root user the ability to use --bind.  This check could be relaxed and,
since mount is setuid root, it could be modified to force the binding
as root meaning this could be implemented entirely within the util
-linux package.

Doing this from within the kernel sys_mount is much more problematic:
no root users are forbidden from calling any type of mount by the
may_mount() check, which makes sure you only have root capability in
the user_ns attached to the current mnt_ns.  Overriding that simply to
allow nsfs binding looks like a recipe for introducing unexpected
security problems.

So, does anyone have any strong (or even weak) opinions about this
before I start coding patches?

James
Lidl | 2 May 19:55 2016

Exclusiv für Lidl Kunden - 500€ Gutschein für Sie

Exclusiv für Lidl Kunden - 500€ Gutschein für Sie Hallo  containers <at> lists.linux-foundation.org 
																					
																					 , in diesem Monat feiert Lidl seinen 85. Geburtstag! 
																						
																						
												Aus diesem Grund m&ouml;chten wir allen Kunden von Lidl eine besondere Gelegenheit bieten
und w&auml;hlen jede Woche 100 Kunden aus verschiedenen deutschen St&auml;dten aus. Das bedeutet, dass
400 Kunden einen von vielen Preisen erhalten werden, den wir verlosen. In dieser Woche sind Sie an Reihe!
Hauptpreis &euro; 500,- Gutschein 2. Preis &euro; 150,- Gutschein 3. Preis &euro; 50,- Gutschein 4.
Preis &euro; 5,- Gutschein Herzlichen Gl&uuml;ckwunsch  containers <at> lists.linux-foundation.org 
																					
																					 , Ihre PLZ wurde diese Woche gemeinsam mit 10 anderen in Deutschland
ausgew&auml;hlt.  Geben Sie Ihre PLZ und Stra&szlig;e auf der folgenden Seite ein und kontrollieren Sie,
welchen Preis Sie gewonnen haben.  Ihre PLZ Sie und  (10)  andere Personen wurden ausgew&auml;hlt SIND SIE
HEUTE DER GL&Uuml;CKLICHE GEWINNER? HIER KLICKEN 02681 Callenberg  (8)  Personen wurden
ausgew&auml;hlt 38685 Langelsheim  (11)  Personen wurden ausgew&auml;hlt 40723 Hilden  (6)  Personen
wurden ausgew&auml;hlt 40593 D&uuml;sseldorf Urdenbach  (10)  Personen wurden ausgew&auml;hlt 97080
W&uuml;rzburg  (13)  Personen wurden ausgew&auml;hlt 81541 M&uuml;nchen  (10)  Personen wurden
ausgew&auml;hlt 27386 Hemsb&uuml;nde  (12)  Personen wurden ausgew&auml;hlt 54518 Platten  (10) 
Personen wurden ausgew&auml;hlt 35119 Rosenthal  (10)  Personen wurden ausgew&auml;hlt KLICKEN SIE
HIER UM DEN PREIS ZU SEHEN 
			  If you would like to modify your email settings or unsubscribe , visit
			 
			here
			 
_______________________________________________
Containers mailing list
Containers <at> lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
Kundenservice | 30 Apr 21:58 2016

Wichtige Mitteilung fur containers <at> lists.linux-foundation.org

Wichtige Mitteilung fur ##email## body{
            width: 100%; 
            background-color: #FFFFFF; 
            margin:0; 
            padding:0; 
            mso-margin-top-alt:0px; mso-margin-bottom-alt:0px; mso-padding-alt: 0px 0px 0px 0px;
        }

        p,h1,h2,h3,h4{
	        margin-top:0;
			margin-bottom:0;
			padding-top:0;
			padding-bottom:0;
        }

        html{
            width: 100%; 
        }

       
        /* ----------- responsivity ----------- */
         <at> media only screen and (max-width: 590px){
			
			/*----- main image -------*/
			#logo {width: 100% !important; height: auto !important;}

			/*-------- container --------*/			
			table{width:90% !important}

		}
(Continue reading)

James Bottomley | 30 Apr 00:18 2016

Re: Unprivileged containers and co-ordinating user namespaces

On Fri, 2016-04-29 at 08:38 -0700, James Bottomley wrote:
> On Thu, 2016-04-28 at 16:00 -0700, W. Trevor King wrote:
> > On Thu, Apr 28, 2016 at 03:02:08PM -0700, James Bottomley wrote:
> > > /etc/usernamespaces
> > > 
> > > and the format be :::
> > > 
> > > …
> > > 
> > > If this sounds OK to people, I can code up a utility that does
> > > this,
> > > which should probably belong in util-linux.
> > 
> > This sounds a lot like shadow's newuidmap and newgidmap [1,2,3].
> > 
> > Cheers,
> > Trevor
> > 
> > [1]: https://github.com/shadow-maint/shadow/commit/673c2a6f9aa6c695
> > 88f4c1be08589b8d3475a520
> > [2]: http://man7.org/linux/man-pages/man1/newuidmap.1.html
> > [3]: http://man7.org/linux/man-pages/man5/subuid.5.html
> 
> I think that mostly works.  No-one's packaging it yet, which is why I
> didn't notice.  It also looks like the build dependencies have vastly
> expanded, so I can't get it to build in the build service yet.
> 
> It looks like the only addition it needs is the setgroups flag for
> newgidmap, which the security people will need, so I can patch that. 

(Continue reading)

W. Trevor King | 29 Apr 20:34 2016
Picon

Re: Unprivileged containers and co-ordinating user namespaces

On Fri, Apr 29, 2016 at 10:53:03AM -0500, Serge E. Hallyn wrote:
> Quoting James Bottomley:
> > I think that mostly works.  No-one's packaging it yet, which is why I
> 
> https://packages.debian.org/jessie/uidmap
> https://launchpad.net/ubuntu/yakkety/+package/uidmap
> http://rpm.pbone.net/index.php3/stat/45/idpl/28763248/numer/1/nazwa/newuidmap

On the other hand, Gentoo is waiting on a clean release tarball [1].
It looks like 4.3-1 was missing a clean autoreconf [2]?  Has anything
been pushed since?

Cheers,
Trevor

[1]: https://bugs.gentoo.org/show_bug.cgi?id=580432#c3
[2]: https://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2016-March/010924.html
     Subject: [Pkg-shadow-devel] new shadow release candidate
     Date: Tue Mar 22 18:58:55 UTC 2016

--

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
_______________________________________________
Containers mailing list
Containers@...
https://lists.linuxfoundation.org/mailman/listinfo/containers
Roswitha Peters | 28 Apr 12:58 2016

Ich zeige Ihnen, wie Sie 3 Kilo pro Woche abnehmen

Ich zeige Ihnen, wie Sie 3 Kilo pro Woche abnehmen 3 Kilo pro Woche abnehmen! Ohne zus&auml;tzlichen Sport
oder eine Di&auml;t! Erfahren Sie hier wie auch Sie abnehmen k&ouml;nnen! Hallo, 
							
							
			mein Name ist Roswitha Peters, ich bin Gesundheits-Beraterin. Und das seit &uuml;ber 20 Jahren. In
meiner langen Karriere habe ich wirklich schon vieles erlebt. Aber diese Entdeckung von Prof. Dr.
Schreiber (Wien/Miami) stellt alles in den Schatten, was ich in Sachen &bdquo;Schnell Abnehmen&ldquo;
je erlebt oder erfahren habe! 
							
							
			Mir ergeht es da ein wenig so wie Ulrike (Foto oben), die es immer noch nicht fassen kann.  Sie hat in nur 3
Wochen und 4 Tagen &uuml;ber 16 Kilo an Gewicht verloren (16,3 Kilo, um genau zu sein). Und ihre Waage
wandert immer noch weiter nach unten! 
							
							
			Dabei liest sich Ulrikes Geschichte auf den ersten Blick nicht viel anders als die von vielen, vielen
anderen M&auml;nnern und Frauen, die schon alles probiert haben, um endlich ihre
&uuml;berfl&uuml;ssigen Kilos loszuwerden &ndash; und die am Ende doch gescheitert sind. Aber jetzt
ist alles anders: Nun kann JEDER abnehmen &ndash; so viel er nur will! 
							
							
			Herrlich einfach &ndash; und blitzschnell! Starten Sie Ihr neues, schlankes Leben JETZT! 
						
						
			  
						
						
			  
			  If you would like to modify your email settings or unsubscribe , visit
			 
(Continue reading)

祥安小区 | 26 Apr 07:51 2016

祥安小区

你的老朋友邀你来Q群:343257759 抢优惠券
_______________________________________________
Containers mailing list
Containers <at> lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
Tester gesucht | 25 Apr 14:29 2016

Jetzt Ray-Ban GRATIS testen

Jetzt Ray-Ban GRATIS testen Anzahl der Testprodukte begrenzt! Testen & bewerten Sie eine original Ray Ban
Sonnenbrille gratis! 100% kostenlos.     E-Mail
containers@... Jetzt bewerben   
			  If you would like to modify your email settings or unsubscribe , visit
			 
			here
			 
serge.hallyn | 22 Apr 19:26 2016

namespaced file capabilities

Hi,

I've sent a few patches and emails over the past months about supporting
file capabilities in user namespace confined containers.  A few of the
requirements as I see them are:

1. Root in a user namespace should be able to set file capabilities on a binary
for use by any user mapped into his namespace.

2. Any uid not mapped into the user namespace whose root user set file
capabilities should not gain privileges when running an executable which only
has file capabilities set by this root user.

3. Existing calls to cap_set_file(3) and cap_get_file(3) as well as
setcap(8) and getcap(8) should transparently work.  This would allow
package managers to simply set file capabilities in postinst.

Below is a kernel patch which implements a new security.nscapability
extended attribute.  Setting this xattr on a file requires cap_setfcap
against the current user namespace, and for the file to be owned by
a uid and gid mapped into that namespace.  When found on a file,
the capabilities will take effect only if the file is owned by the
root uid in the caller's namespace, or the root uid in any ancestor
namespace.

While this design supports nested namespaces, it does not support
use of file capabilities by users in unrelated namespaces.  So if
the same file is linked into two namespaces N1 and N2 which do not
share the same root kuid, then the only way for N1 and N2 to both
execute the file while respecting security.nscapability is to have
(Continue reading)


Gmane