On Mon, 08 Dec 2014 15:59:12 -0600
ebiederm@xxxxxxxxxxxx (Eric W. Biederman) wrote:
> David Howells <dhowells@xxxxxxxxxx> writes:
>
> > Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> >
> >> - How should LSM security labels be translated?
> >
> > I'm definitely interested in that. Especially with respect to how to deal
> > with SELinux + overlay{fs,}/unionmount.
> >
> > Also, I'm interested in how keyrings should interact with namespaces. Should
> > keys be namespaced?
>
> Key lookups are already per user namespace, so I would call that
> namespaced. We do have the question with keys, should we allow
> duplicate key values so that checkpoint/restart can carry keys between
> different kernels.
>
> > And I'm also interested in how upcalls, including to /sbin/request-key, should
> > be dealt with.
>
> Good question. There is some ongoing discussion on that right now.
>
Agreed. It would be nice to figure out what the end game is for all
call_usermodehelper type upcalls within namespaces (including the ones
for keyrings). What can we do to make that work as expected and be safe?
--
Jeff Layton <jlayton@xxxxxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
