Quoting Amir Goldstein (amir7...@gmail.com):
> On Wed, Jun 28, 2017 at 8:41 AM, Serge E. Hallyn wrote:
> > Hi Amir,
> >
> > I was liking the prefix at first, but I'm actually not sure it's worth
> > it. THe main advantage would be so that checking for namespace or other
> > tags could be done alw
On 06/28/2017 03:18 AM, Amir Goldstein wrote:
On Wed, Jun 28, 2017 at 8:41 AM, Serge E. Hallyn wrote:
On Fri, Jun 23, 2017 at 10:01:46AM +0300, Amir Goldstein wrote:
On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
wrote:
This series of patches primary goal is to enable file capabilities
in us
On Wed, Jun 28, 2017 at 8:41 AM, Serge E. Hallyn wrote:
> On Fri, Jun 23, 2017 at 10:01:46AM +0300, Amir Goldstein wrote:
>> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
>> wrote:
>> > This series of patches primary goal is to enable file capabilities
>> > in user namespaces without affecting t
On Fri, Jun 23, 2017 at 10:01:46AM +0300, Amir Goldstein wrote:
> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
> wrote:
> > This series of patches primary goal is to enable file capabilities
> > in user namespaces without affecting the file capabilities that are
> > effective on the host. This i
On 6/23/2017 4:09 PM, Stefan Berger wrote:
> On 06/23/2017 02:35 PM, Serge E. Hallyn wrote:
>> Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
>>> On 06/23/2017 12:16 PM, Casey Schaufler wrote:
On 6/23/2017 9:00 AM, Serge E. Hallyn wrote:
> Quoting Amir Goldstein (amir7...@gmail.com):
On 06/23/2017 02:35 PM, Serge E. Hallyn wrote:
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
On 06/23/2017 12:16 PM, Casey Schaufler wrote:
On 6/23/2017 9:00 AM, Serge E. Hallyn wrote:
Quoting Amir Goldstein (amir7...@gmail.com):
On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
wrote:
T
Quoting Vivek Goyal (vgo...@redhat.com):
> On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote:
> > Quoting Vivek Goyal (vgo...@redhat.com):
> > > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:
> > > > This series of patches primary goal is to enable file capabilities
>
On Fri, Jun 23, 2017 at 03:17:23PM -0500, Serge E. Hallyn wrote:
> Quoting Vivek Goyal (vgo...@redhat.com):
> > On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:
> > > This series of patches primary goal is to enable file capabilities
> > > in user namespaces without affecting the file
On 6/23/2017 11:35 AM, Serge E. Hallyn wrote:
> Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
>> On 06/23/2017 12:16 PM, Casey Schaufler wrote:
>>> On 6/23/2017 9:00 AM, Serge E. Hallyn wrote:
Quoting Amir Goldstein (amir7...@gmail.com):
> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berg
Quoting Vivek Goyal (vgo...@redhat.com):
> On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:
> > This series of patches primary goal is to enable file capabilities
> > in user namespaces without affecting the file capabilities that are
> > effective on the host. This is to prevent that
On Thu, Jun 22, 2017 at 02:59:46PM -0400, Stefan Berger wrote:
> This series of patches primary goal is to enable file capabilities
> in user namespaces without affecting the file capabilities that are
> effective on the host. This is to prevent that any unprivileged user
> on the host maps his own
Quoting Eric W. Biederman (ebied...@xmission.com):
> Even with one xattr of any type there is something appealing about
> putting the logic that limits that xattr to a namespace in the name. As
Exactly. That's the idea - from Stefan - that I thought was a worthwhile
improvement over my own previ
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> On 06/23/2017 12:16 PM, Casey Schaufler wrote:
> >On 6/23/2017 9:00 AM, Serge E. Hallyn wrote:
> >>Quoting Amir Goldstein (amir7...@gmail.com):
> >>>On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
> >>> wrote:
> This series of patches primary
Quoting Stefan Berger (stef...@linux.vnet.ibm.com):
> On 06/23/2017 01:07 PM, James Bottomley wrote:
> >On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote:
> >>Quoting Casey Schaufler (ca...@schaufler-ca.com):
> >>>Or maybe just security.ns.capability, taking James' comment into
> >>>account.
Quoting Eric W. Biederman (ebied...@xmission.com):
> "Serge E. Hallyn" writes:
>
> > Quoting Casey Schaufler (ca...@schaufler-ca.com):
> >> On 6/23/2017 9:30 AM, Serge E. Hallyn wrote:
> >> > Quoting Casey Schaufler (ca...@schaufler-ca.com):
> >> >> Or maybe just security.ns.capability, taking Ja
On 06/23/2017 12:16 PM, Casey Schaufler wrote:
On 6/23/2017 9:00 AM, Serge E. Hallyn wrote:
Quoting Amir Goldstein (amir7...@gmail.com):
On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
wrote:
This series of patches primary goal is to enable file capabilities
in user namespaces without affectin
"Serge E. Hallyn" writes:
> Quoting Casey Schaufler (ca...@schaufler-ca.com):
>> On 6/23/2017 9:30 AM, Serge E. Hallyn wrote:
>> > Quoting Casey Schaufler (ca...@schaufler-ca.com):
>> >> Or maybe just security.ns.capability, taking James' comment into account.
>> > That last one may be suitable a
James Bottomley writes:
> On Thu, 2017-06-22 at 18:36 -0500, Serge E. Hallyn wrote:
>> Quoting James Bottomley (james.bottom...@hansenpartnership.com):
>> > On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote:
>> > > This series of patches primary goal is to enable file
>> > > capabilities in
On 06/23/2017 01:07 PM, James Bottomley wrote:
On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote:
Quoting Casey Schaufler (ca...@schaufler-ca.com):
Or maybe just security.ns.capability, taking James' comment into
account.
That last one may be suitable as an option, useful for his partic
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (ca...@schaufler-ca.com):
> > > Or maybe just security.ns.capability, taking James' comment into
> > > account.
> >
> > That last one may be suit
On Fri, 2017-06-23 at 11:30 -0500, Serge E. Hallyn wrote:
> Quoting Casey Schaufler (ca...@schaufler-ca.com):
> > Or maybe just security.ns.capability, taking James' comment into
> > account.
>
> That last one may be suitable as an option, useful for his particular
> (somewhat barbaric :) use case
Quoting Casey Schaufler (ca...@schaufler-ca.com):
> On 6/23/2017 9:30 AM, Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (ca...@schaufler-ca.com):
> >> Or maybe just security.ns.capability, taking James' comment into account.
> > That last one may be suitable as an option, useful for his partic
On 6/23/2017 9:30 AM, Serge E. Hallyn wrote:
> Quoting Casey Schaufler (ca...@schaufler-ca.com):
>> On 6/23/2017 9:00 AM, Serge E. Hallyn wrote:
>>> Quoting Amir Goldstein (amir7...@gmail.com):
On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
wrote:
> This series of patches primary goa
Quoting Casey Schaufler (ca...@schaufler-ca.com):
> On 6/23/2017 9:00 AM, Serge E. Hallyn wrote:
> > Quoting Amir Goldstein (amir7...@gmail.com):
> >> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
> >> wrote:
> >>> This series of patches primary goal is to enable file capabilities
> >>> in user n
On 6/23/2017 9:00 AM, Serge E. Hallyn wrote:
> Quoting Amir Goldstein (amir7...@gmail.com):
>> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
>> wrote:
>>> This series of patches primary goal is to enable file capabilities
>>> in user namespaces without affecting the file capabilities that are
>>>
Quoting Amir Goldstein (amir7...@gmail.com):
> On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
> wrote:
> > This series of patches primary goal is to enable file capabilities
> > in user namespaces without affecting the file capabilities that are
> > effective on the host. This is to prevent that a
On Thu, Jun 22, 2017 at 9:59 PM, Stefan Berger
wrote:
> This series of patches primary goal is to enable file capabilities
> in user namespaces without affecting the file capabilities that are
> effective on the host. This is to prevent that any unprivileged user
> on the host maps his own uid to
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Thu, 2017-06-22 at 18:36 -0500, Serge E. Hallyn wrote:
> > Yes, the use case is: to allow root in the container to set the
> > privilege itself, without endangering any resources not owned by
> > that root.
>
> OK, so you envisa
On Thu, 2017-06-22 at 18:36 -0500, Serge E. Hallyn wrote:
> Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote:
> > > This series of patches primary goal is to enable file
> > > capabilities in user namespaces without affecti
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote:
> > This series of patches primary goal is to enable file capabilities
> > in user namespaces without affecting the file capabilities that are
> > effective on the host. This i
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote:
> > This series of patches primary goal is to enable file capabilities
> > in user namespaces without affecting the file capabilities that are
> > effective on the host. This i
On Thu, 2017-06-22 at 14:59 -0400, Stefan Berger wrote:
> This series of patches primary goal is to enable file capabilities
> in user namespaces without affecting the file capabilities that are
> effective on the host. This is to prevent that any unprivileged user
> on the host maps his own uid to
Quoting Casey Schaufler (ca...@schaufler-ca.com):
> On 6/22/2017 2:09 PM, Serge E. Hallyn wrote:
> > Quoting Casey Schaufler (ca...@schaufler-ca.com):
> >> On 6/22/2017 1:12 PM, Stefan Berger wrote:
> >>> On 06/22/2017 03:59 PM, Casey Schaufler wrote:
> On 6/22/2017 11:59 AM, Stefan Berger wro
On 6/22/2017 2:09 PM, Serge E. Hallyn wrote:
> Quoting Casey Schaufler (ca...@schaufler-ca.com):
>> On 6/22/2017 1:12 PM, Stefan Berger wrote:
>>> On 06/22/2017 03:59 PM, Casey Schaufler wrote:
On 6/22/2017 11:59 AM, Stefan Berger wrote:
> This series of patches primary goal is to enable f
Quoting Casey Schaufler (ca...@schaufler-ca.com):
> On 6/22/2017 1:12 PM, Stefan Berger wrote:
> > On 06/22/2017 03:59 PM, Casey Schaufler wrote:
> >> On 6/22/2017 11:59 AM, Stefan Berger wrote:
> >>> This series of patches primary goal is to enable file capabilities
> >>> in user namespaces withou
On 06/22/2017 04:33 PM, Casey Schaufler wrote:
On 6/22/2017 1:12 PM, Stefan Berger wrote:
On 06/22/2017 03:59 PM, Casey Schaufler wrote:
On 6/22/2017 11:59 AM, Stefan Berger wrote:
This series of patches primary goal is to enable file capabilities
in user namespaces without affecting the file
On 6/22/2017 1:12 PM, Stefan Berger wrote:
> On 06/22/2017 03:59 PM, Casey Schaufler wrote:
>> On 6/22/2017 11:59 AM, Stefan Berger wrote:
>>> This series of patches primary goal is to enable file capabilities
>>> in user namespaces without affecting the file capabilities that are
>>> effective on
On 06/22/2017 03:59 PM, Casey Schaufler wrote:
On 6/22/2017 11:59 AM, Stefan Berger wrote:
This series of patches primary goal is to enable file capabilities
in user namespaces without affecting the file capabilities that are
effective on the host. This is to prevent that any unprivileged user
o
On 6/22/2017 11:59 AM, Stefan Berger wrote:
> This series of patches primary goal is to enable file capabilities
> in user namespaces without affecting the file capabilities that are
> effective on the host. This is to prevent that any unprivileged user
> on the host maps his own uid to root in a p
This series of patches primary goal is to enable file capabilities
in user namespaces without affecting the file capabilities that are
effective on the host. This is to prevent that any unprivileged user
on the host maps his own uid to root in a private namespace, writes
the xattr, and executes the
40 matches
Mail list logo
