On Thu, 2015-04-02 at 07:06 -0700, Andy Lutomirski wrote:
> On Thu, Apr 2, 2015 at 3:12 AM, James Bottomley
> wrote:
> > On Tue, 2015-03-31 at 16:17 +0200, Alexander Larsson wrote:
> >> On tis, 2015-03-31 at 17:08 +0300, James Bottomley wrote:
> >> > On Tue
ich will be started by the user, and will run as the user.
There is no root involved in the call chain at all.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander LarssonRed Hat, Inc
al...@redhat.comale
On tis, 2015-03-31 at 16:07 +0300, James Bottomley wrote:
> On Tue, 2015-03-31 at 09:57 +0200, Alexander Larsson wrote:
> > On fre, 2015-03-27 at 10:03 +0100, James Bottomley
> > >
> > > > On Fri, Feb 20, 2015 at 5:04 PM, Andy Lutomirski
> > > > wro
ainer where you got
permissions to mount via using user namespaces.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander LarssonRed Hat, Inc
al...@redhat.comalexander.lars...@gmail.com
He's an old-fashioned neu
On Thu, 2015-05-28 at 11:44 -0500, Eric W. Biederman wrote:
> Andy Lutomirski writes:
>
> > On Thu, Apr 2, 2015 at 11:27 AM, Eric W. Biederman
> > wrote:
> > > Andy Lutomirski writes:
> > >
> > > > On Thu, Apr 2, 2015 at 7:29 AM, Ale
On Thu, 2015-05-28 at 12:14 -0500, Eric W. Biederman wrote:
> Alexander Larsson writes:
>
> > On Thu, 2015-05-28 at 11:44 -0500, Eric W. Biederman wrote:
> > > Andy Lutomirski writes:
> > >
> > > > On Thu, Apr 2, 2015 at 11:27 AM, Eric W. Biederman
On Thu, 2015-05-28 at 12:14 -0500, Eric W. Biederman wrote:
>
> > Where does the second namespace enter into this?
>
> Step a. Create create a user namespace where uid 0 is mapped to your
> real uid, and set up your sandbox (aka mount /dev/pts and everything
> else).
>
> Step b. Create a nest
On Tue, Jun 23, 2015 at 8:06 AM, Andy Lutomirski wrote:
> 3. The sandbox model is, in my opinion, an experiment that isn't going
> to succeed. It's a poor model: a "restricted endpoint" (i.e. a
> sandboxed kdbus client) sees a view of the world defined by a limited
> policy language implemented
On Wed, Jun 24, 2015 at 5:38 PM, Andy Lutomirski wrote:
> Was this intentionally off-list?
Nah, that was a mistake, adding back the list.
> On Wed, Jun 24, 2015 at 8:10 AM, Alexander Larsson
>> The way i did it in the userspace proxy is to allow peer exited
>> messages
On Wed, Jun 24, 2015 at 9:43 PM, Andy Lutomirski wrote:
> On Wed, Jun 24, 2015 at 10:11 AM, Alexander Larsson
> wrote:
>> My name is on the dbus specification, and I am (and was
>> then) well aware of systems with object references. In fact, both
>> previous ipc systems
On mån, 2015-05-18 at 16:39 +0200, Alexander Larsson wrote:
Didn't get any replies to the below kernel panic (testcase attached),
which seems rather important to fix. Reposting to a wider audience.
> If I build and run the attached break-kernel.c as a user i get this
> kernel panic on
s (setuid etc).
So,
Tested-by: al...@redhat.com
And please, can we get some eyeballs on this, it really is very useful
(and very simple too).
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander LarssonRed Hat, I
; will just work and ptmx will be owned by the namespace owner.
>
> Cc: Alexander Larsson
> Cc: mcla...@redhat.com
> Cc: "Eric W. Biederman"
> Cc: Linux Containers
> Signed-off-by: Andy Lutomirski
Tes
ed or not so that i can fall back on the
old workaround.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander LarssonRed Hat, Inc
al...@redhat.comalexander.lars...@gmail.com
He's an all-American guitar-strumming househusband with no name. She's a
scan
ive out those fds
> to apps that need them and meet whatever criteria are set. If you
> try
> to unshare your userns without the fd, it falls back to some simpler
> policy.
In practice though, how would the privilege broken know and apply the
criter
15 matches
Mail list logo
