Re: [PATCH v3 11/11] smack: documentation for the Smack namespace

From: Lukasz Pawelczyk
Date: Wed Jul 29 2015 - 13:05:29 EST

Next message: Guenter Roeck: "Re: [PATCH v2 2/3] i2c: i801: Create iTCO device on newer Intel PCHs"
Previous message: Aaron Sierra: "Re: [PATCH 1/5] iTCO_wdt: Expose watchdog properties using platform data"
In reply to: Serge E. Hallyn: "Re: [PATCH v3 11/11] smack: documentation for the Smack namespace"
Next in thread: Lukasz Pawelczyk: "[PATCH v3 08/11] smack: misc cleanups in preparation for a namespace patch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just a clarification, from my previous email:

> 3. (expcetion #2) About the: "Without the host admin doing anything.".
> With this namespace you delegate part of CAP_MAC_ADMIN privilege to an
> unprivileged user (as with any other namespace). There is now way that
> this will not involve host admin.

What I meant is: "There is NO way that this will not involve host admin."
Typo, sorry.

On Wed, Jul 29, 2015 at 6:37 PM, Serge E. Hallyn <serge@xxxxxxxxxx> wrote:

> Ok, I'm hoping to discuss this with Casey at LSS. I assume there will
> be reasons why what I want is simply not possible, but I'd like to give
> it a shot :)
>
> One way around this might be to let the host admin say:
>
> create smack labels c1_a1..c1_aN. Map them into the container in a
> way such that they have no name in the container yet.
>
> Now when container admin says "create mysql_t", so long as there is
> a not-yet-named mapped label, c1-aM, it gets mapped to the new name.

This by itself like I said would theoretically be possible (without
the "no admin intervention" and "modifying rules" parts). You mark the
container prefixed with something, let's say with "C1". Now any new
label you create inside a namespace will get automatic (implicit)
mapping:

C1-label -> label

Casey disliked the idea for these reasons (there was actually more
then one as I remember now):
1. What I said previously about special meaning for labels. The real
host label C1-label has a meaning now.
2. Labels have a specific max length. By prefixing them we reduce that
length, and it is pressumed to be true in several parts of the code.
3. This mechanic allows users to import labels, and as Smack doesn't
free or reuse them this is potentially DOS surface. Granted this is
technical limitation only that could be remedied at some point, but
for now the assumption that labels are not destroyed is taken
advantage of in several parts of the code to simplify the
implementation of Smack itself. (Mappings and mapped label structures
are freed with the end of life of user namespace).

> One hurdle to overcome there, of course, is how to reproduce that
> mapping the next time we create this container.

The name of the real label would hold the info (C1-label).

> Anyway, if this patchset is simply about making smack work in user_ns
> at all, I'll reread with that in mind :)

Would appreciate.

Thanks,
Lukasz
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Guenter Roeck: "Re: [PATCH v2 2/3] i2c: i801: Create iTCO device on newer Intel PCHs"
Previous message: Aaron Sierra: "Re: [PATCH 1/5] iTCO_wdt: Expose watchdog properties using platform data"
In reply to: Serge E. Hallyn: "Re: [PATCH v3 11/11] smack: documentation for the Smack namespace"
Next in thread: Lukasz Pawelczyk: "[PATCH v3 08/11] smack: misc cleanups in preparation for a namespace patch"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]