Re: [patch 07/10] unprivileged mounts: add sysctl tunable for "safe" property

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Miklos Szeredi

Subject: Re: [patch 07/10] unprivileged mounts: add sysctl tunable for "safe" property

Date: Wednesday, February 6, 2008 - 2:11 pm

> > +	t->table[0].mode = 0644;
quoted text> 
> Yikes, this could be a problem for containers, as it's simply tied to
> uid 0, whereas tying it to a capability would let us solve it with
> capability bounds.
> 
> This might mean more urgency to get user namespaces working at least
> with sysfs, else this is a quick way around having CAP_SYS_ADMIN taken
> out of a container's capability bounding set.

I think I understand the problem, but not the solution.  How do user
namespaces going to help?

Maybe sysctls just need to check capabilities, instead of uids.  I
think that would make a lot of sense anyway.

Thanks,
Miklos
-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[patch 07/10] unprivileged mounts: add sysctl tunable for ..., Miklos Szeredi, (Tue Feb 5, 2:36 pm)

Re: [patch 07/10] unprivileged mounts: add sysctl tunable ..., Serge E. Hallyn, (Wed Feb 6, 1:21 pm)

Re: [patch 07/10] unprivileged mounts: add sysctl tunable ..., Miklos Szeredi, (Wed Feb 6, 2:11 pm)

Re: [patch 07/10] unprivileged mounts: add sysctl tunable ..., Serge E. Hallyn, (Wed Feb 6, 3:45 pm)

Re: [patch 07/10] unprivileged mounts: add sysctl tunable ..., Miklos Szeredi, (Thu Feb 7, 1:09 am)

Re: [patch 07/10] unprivileged mounts: add sysctl tunable ..., Serge E. Hallyn, (Thu Feb 7, 7:05 am)

Re: [patch 07/10] unprivileged mounts: add sysctl tunable ..., Miklos Szeredi, (Thu Feb 7, 7:36 am)

Re: [patch 07/10] unprivileged mounts: add sysctl tunable ..., Aneesh Kumar K.V, (Thu Feb 7, 8:33 am)

Re: [patch 07/10] unprivileged mounts: add sysctl tunable ..., Miklos Szeredi, (Thu Feb 7, 9:24 am)

Re: [patch 07/10] unprivileged mounts: add sysctl tunable ..., Serge E. Hallyn, (Thu Feb 7, 9:57 am)


linux-kernel:
Paul Turner	[tg_shares_up rewrite v2 11/11] sched: update tg->shares after cpu.shares write
Ingo Molnar	Re: [RFC] Cpu-hotplug: Using the Process Freezer (try2)
Michal Nazarewicz	Re: [PATCH] USB: Gadget: g_multi: added INF file for gadget with multiple configur...
Eric W. Biederman	Re: init's children list is long and slows reaping children.
Jeffrey V. Merkey	Re: Versioning file system
git:
Matthieu Moy	Re: Bugs in Gitosis
Daniel Barkalow	Re: About git and the use of SHA-1
David Lang	Re: mingw, windows, crlf/lf, and git
Shawn O. Pearce	Re: Bugs in Gitosis
Junio C Hamano	Re: [PATCH 14/21] Convert ce_path_match() to use struct pathspec
linux-netdev:
David Miller	Re: [2.6.30-rc3] powerpc: compilation error of mace module
David Miller	Re: [PATCH] ipv6: fix display of local and remote sit endpoints
Cong Wang	Re: [PATCH] s2io: add dynamic LRO disable support
Tobacco New Year Promo
Eric Dumazet	Re: [PATCH] net: implement emergency route cache rebulds when gc_elasticity is exc...
git-commits-head:
Linux Kernel Mailing List	V4L/DVB: tm6000: add special usb request to quit i2c tuner transfer
Linux Kernel Mailing List	of/flattree: merge early_init_dt_scan_memory() common code
Linux Kernel Mailing List	b43: N-PHY: add some registers and structs definitions
Linux Kernel Mailing List	powerpc: Move /proc/ppc64 to /proc/powerpc and add symlink
Linux Kernel Mailing List	drivers/acpi: use kasprintf
openbsd-misc:
Ted Bullock	Re: Proliant DL380 G3 cannot get on network
Eric Furman	Re: Defending OpenBSD Performance
Damien Miller	Re: Patching a SSH 'Weakness'
Tony Abernethy	Re: The Atheros story in much fewer words
Nick Holland	Re: 1 out of 3 hunks failed--saving rejects to kerberosV/src/lib/krb5/crypto.c.rej