On Tue, May 7, 2013 at 9:38 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > So far it appears that we don't need a device namespace. As for most > things the usual DAC permissions apply. Serge, please note ;) > The exceptions that I am aware of where we need something extra are > cases where the device abstraction is simply insufficient and needs > to be improved. > > You can pass real network devices between network namespaces. Have you considered passing things like frame buffer, input subsystem and/or modem(s)? >>> Your goals are not 100% clear to me. What is it about a user >>> namespace that you want? >> >> I'm trying to experiment with a system that has init_ns size >> of one tiny task and apart from that everything runs inside >> containers. Because of this I need a way to elevate rights >> of certain trusted applications inside user namespaces so >> that they could operate against things requesting rights >> from init ns. > > It will never be acceptable for tasks in a user namespace to have > any rights outside of that user namespace. Elevating rights is the > wrong model. As ideal goal you're fully right, but given that init_ns size is almost non-existent do you think that it is realistic to expect that no one ever needs elevated rights within the container? So all in all, I'm trying to make things work for real and complete Linux systems since if this is done right, I think it is possible that in the long run distributions start to default to running everything inside container. If there is no privilege escalation possibility at all, you just ruled out a huge bunch of existing configuration/etc tools and for the next 5+ years, devices and kernel features. For me containers are not so much a security feature but rather a functional one. > The model very much needs to be how do we make a device safe for use by > an unprivielged user. > > Most devices you can allow access to users in a user namespace with a > simple chmod. > > You will also have the problem of how do you mount filesystems. Except > for tmpfs I don't think there are any writable filesystems mountable in > a mount namespace created by a user namespace. > > Your goal does sound interesting however. Great to hear you agreed on the goal. -- Janne _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
