Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752990Ab2KSPI1 (ORCPT ); Mon, 19 Nov 2012 10:08:27 -0500 Received: from out02.mta.xmission.com ([166.70.13.232]:56788 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752966Ab2KSPIY (ORCPT ); Mon, 19 Nov 2012 10:08:24 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Linux Containers Cc: , , "Serge E. Hallyn" Date: Mon, 19 Nov 2012 07:08:11 -0800 Message-ID: <87lidx8wbo.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX1/4T0J73PwfZFifx69LatpQItZmlFM50u0= X-SA-Exim-Connect-IP: 98.207.153.68 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 2.5 XMWhlSbjSex Whole Obfuscated Subjects * 0.1 XMSubLong Long Subject * -0.0 BAYES_40 BODY: Bayes spam probability is 20 to 40% * [score: 0.3934] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: *;Linux Containers X-Spam-Relay-Country: Subject: [PATCH review 0/16] user namespace and namespace infrastructure completion X-SA-Exim-Version: 4.2.1 (built Sun, 08 Jan 2012 03:05:19 +0000) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3426 Lines: 72 The following series of changes completes the user namespace and adds the much too long delay bits of namespace infrastructure. This series of changes adds unprivilged creation of all namespaces support for creating a user namespace with unshare, and support for entering a user namespace with setns. The proc namespace files are converted into magic symlinks to avoid problems with dentry caching excessively keeping a namespace alive and dentry caching allowing the ptrace_may_access checks to be bypassed. The proc namespace now have inode numbers that are always the same for the same user namespace allowing stat to test if two file descriptors refer to the same namespace. Eric W. Biederman (16): userns: Ignore suid and sgid on binaries if the uid or gid can not be mapped userns: Allow unprivileged users to create user namespaces. userns: Allow chown and setgid preservation userns: Allow setting a userns mapping to your current uid. userns: Allow unprivileged users to create new namespaces userns: Allow unprivileged use of setns. userns: Make create_new_namespaces take a user_ns parameter userns: Kill task_user_ns userns: Implent proc namespace operations userns: Implement unshare of the user namespace procfs: Print task uids and gids in the userns that opened the proc file userns: For /proc/self/{uid,gid}_map derive the lower userns from the struct file userns: Allow unprivilged mounts of proc and sysfs proc: Generalize proc inode allocation proc: Fix the namespace inode permission checks. proc: Usable inode numbers for the namespace file descriptors. fs/attr.c | 11 ++- fs/exec.c | 9 +-- fs/mount.h | 1 + fs/namespace.c | 14 +++ fs/proc/array.c | 2 +- fs/proc/generic.c | 26 +++--- fs/proc/inode.c | 6 +- fs/proc/namespaces.c | 177 +++++++++++++++++++++++++++++++++++----- fs/proc/root.c | 1 + fs/sysfs/mount.c | 1 + include/linux/cred.h | 2 - include/linux/ipc_namespace.h | 9 ++- include/linux/nsproxy.h | 2 +- include/linux/pid_namespace.h | 1 + include/linux/proc_fs.h | 18 ++++- include/linux/user_namespace.h | 10 ++ include/linux/utsname.h | 7 +- include/net/net_namespace.h | 2 + init/version.c | 2 + ipc/msgutil.c | 2 + ipc/namespace.c | 32 ++++++-- kernel/fork.c | 33 +++++--- kernel/nsproxy.c | 34 ++++---- kernel/pid.c | 1 + kernel/pid_namespace.c | 12 +++ kernel/ptrace.c | 10 ++- kernel/sched/core.c | 10 ++- kernel/user.c | 2 + kernel/user_namespace.c | 147 +++++++++++++++++++++++++++++---- kernel/utsname.c | 33 ++++++-- net/core/net_namespace.c | 31 +++++++- security/yama/yama_lsm.c | 12 ++- 32 files changed, 535 insertions(+), 125 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/