Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > Serge Hallyn <serge.hallyn@xxxxxxxxxx> writes: > > > Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > >> Stéphane Graber <stgraber@xxxxxxxxxx> writes: > >> > >> > On Fri, Dec 12, 2014 at 03:38:18PM -0600, Eric W. Biederman wrote: > >> >> Serge Hallyn <serge.hallyn@xxxxxxxxxx> writes: > >> >> > >> >> > Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > >> >> >> > >> >> >> Will people please test these patches with their container project? > >> >> >> > >> >> >> These changes break container userspace (hopefully in a minimal way) if > >> >> >> I could have that confirmed by testing I would really appreciate it. I > >> >> >> really don't want to send out a bug fix that accidentally breaks > >> >> >> userspace again. > >> >> >> > >> >> >> The only issue sort of under discussion is if there is a better name for > >> >> >> /proc/<pid>/setgroups, and the name of the file will not affect the > >> >> >> functionality of the patchset. > >> >> >> > >> >> >> With the code reviewed and written in simple obviously correct, easily > >> >> >> reviewable ways I am hoping/planning to send this to Linus ASAP. > >> >> >> > >> >> >> Eric > >> >> > > >> >> > Is there a git tree we can clone? > >> >> > >> >> Have either of you been able to check to see if any of my changes > >> >> affects lxc? > >> >> > >> >> I am trying to gauge how hard and how fast I should push to Linus. lxc > >> >> being the largest adopter of unprivileged user namespaces for general > >> >> purpose containers. > >> >> > >> >> I expect you just call newuidmap and newgidmap and don't actually care > >> >> about not being able to set gid_map without privilege. But I really > >> >> want to avoid pushing a security fix and then being surprised that > >> >> things like lxc break. > >> >> > >> >> Eric > >> > > >> > Hi Eric, > >> > > >> > I've unfortunately been pretty busy this week as I was (well, still am) > >> > travelling to South Africa for a meeting. I don't have a full kernel > >> > tree around here and a full git clone isn't really doable over the kind > >> > of Internet I've got here :) > >> > > >> > Hopefully Serge can give it a quick try, otherwise I should be able to > >> > do some tests on Tuesday when I'm back home. > >> > >> I thought Serge was going to but I haven't heard yet so I am prodding ;-) > > > > Ok, thanks - yes, unprivileged lxc is working fine with your kernels. > > Just to be sure I was testing the right thing I also tested using > > my unprivileged nsexec testcases, and they failed on setgroup/setgid > > as now expected, and succeeded there without your patches. > > Thanks. > > Serge unless you object will add your Tested-By to my pull message to Linus. Sounds good. > Minor question do you runprivileged nsexec test cases test to see if the > write to gid_map succeeds? I would have expected the gid_map write to > fail before the setgroups setgid system calls came into play. Yes, I did that by hand, and it failed (with your kernel). -serge -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
