Re: [PATCH v2] xattr: Enable security.capability in user namespaces

From: Serge E. Hallyn
Date: Tue Jul 25 2017 - 23:00:11 EST

Next message: Todd Poynor: "Re: [PATCH] initcall_debug: add deferred probe times"
Previous message: Jonathan NeuschÃfer: "Re: [patches] [PATCH 17/17] RISC-V: Build Infastructure"
Next in thread: Mimi Zohar: "Re: [PATCH v2] xattr: Enable security.capability in user namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jul 14, 2017 at 03:26:14PM -0400, Mimi Zohar wrote:
> On Fri, 2017-07-14 at 13:17 -0500, Eric W. Biederman wrote:
> > Which brings us to the semantic question of would it be nice to have
> > stacked IMA/EVM on the same file.
> >
> > I really don't think we do. I think allowing multiple keys for
> > different part of trusting files is easy enough that we should have no
> > need to fight over which keys do which.
>
> We definitely want to support different policies on the native and in
> the namespace with different keys and keyrings.

Ok, so Stefan's code to support userspace in a container reading
security.ima and getting back the value for security.ima@uid=1000
(if 1000 is the kuid of the container's root user) is in fact
useful to IMA?

Next message: Todd Poynor: "Re: [PATCH] initcall_debug: add deferred probe times"
Previous message: Jonathan NeuschÃfer: "Re: [patches] [PATCH 17/17] RISC-V: Build Infastructure"
Next in thread: Mimi Zohar: "Re: [PATCH v2] xattr: Enable security.capability in user namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]