On Tue, Oct 14, 2014 at 3:45 PM, Serge E. Hallyn wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> On Tue, Oct 14, 2014 at 3:14 PM, Serge E. Hallyn wrote:
>> > Quoting Serge E. Hallyn (se...@hallyn.com):
>> >> Quoting Eric W. Biederman (ebied...@xmission.com):
>> >> > Andy Lutomirski wr
Quoting Andy Lutomirski (l...@amacapital.net):
> On Tue, Oct 14, 2014 at 3:14 PM, Serge E. Hallyn wrote:
> > Quoting Serge E. Hallyn (se...@hallyn.com):
> >> Quoting Eric W. Biederman (ebied...@xmission.com):
> >> > Andy Lutomirski writes:
> >> >
> >> > > If a process gets access to a mount from
On Tue, Oct 14, 2014 at 3:14 PM, Serge E. Hallyn wrote:
> Quoting Serge E. Hallyn (se...@hallyn.com):
>> Quoting Eric W. Biederman (ebied...@xmission.com):
>> > Andy Lutomirski writes:
>> >
>> > > If a process gets access to a mount from a descendent or unrelated
>> > > user namespace, that proce
On Tue, Oct 14, 2014 at 3:12 PM, Serge E. Hallyn wrote:
> Quoting Eric W. Biederman (ebied...@xmission.com):
>> Andy Lutomirski writes:
>>
>> > If a process gets access to a mount from a descendent or unrelated
>> > user namespace, that process should not be able to take advantage of
>> > setuid
Quoting Serge E. Hallyn (se...@hallyn.com):
> Quoting Eric W. Biederman (ebied...@xmission.com):
> > Andy Lutomirski writes:
> >
> > > If a process gets access to a mount from a descendent or unrelated
> > > user namespace, that process should not be able to take advantage of
> > > setuid files o
On Tue, Oct 14, 2014 at 3:07 PM, Andy Lutomirski wrote:
> On Tue, Oct 14, 2014 at 2:57 PM, Eric W. Biederman
>>> Seth, this should address a problem that's related to yours. If a
>>> userns creates and untrusted fs (by any means, although admittedly fuse
>>> and user namespaces don't work all th
Quoting Eric W. Biederman (ebied...@xmission.com):
> Andy Lutomirski writes:
>
> > If a process gets access to a mount from a descendent or unrelated
> > user namespace, that process should not be able to take advantage of
> > setuid files or selinux entrypoints from that filesystem.
> >
> > This
On Tue, Oct 14, 2014 at 2:57 PM, Eric W. Biederman
wrote:
> Andy Lutomirski writes:
>
>> If a process gets access to a mount from a descendent or unrelated
>> user namespace, that process should not be able to take advantage of
>> setuid files or selinux entrypoints from that filesystem.
>>
>> Th
Andy Lutomirski writes:
> If a process gets access to a mount from a descendent or unrelated
> user namespace, that process should not be able to take advantage of
> setuid files or selinux entrypoints from that filesystem.
>
> This will make it safer to allow more complex filesystems to be
> mou
If a process gets access to a mount from a descendent or unrelated
user namespace, that process should not be able to take advantage of
setuid files or selinux entrypoints from that filesystem.
This will make it safer to allow more complex filesystems to be
mounted in non-root user namespaces.
Th
10 matches
Mail list logo
