Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1758197AbcLVBQf (ORCPT <rfc822;w@1wt.eu>);
        Wed, 21 Dec 2016 20:16:35 -0500
Received: from out03.mta.xmission.com ([166.70.13.233]:54477 "EHLO
        out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1757510AbcLVBQc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 21 Dec 2016 20:16:32 -0500
From: ebiederm@xmission.com (Eric W. Biederman)
To: "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>, linux-api@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        Andrey Vagin <avagin@openvz.org>,
        James Bottomley <James.Bottomley@hansenpartnership.com>,
        "W. Trevor King" <wking@tremily.us>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Jonathan Corbet <corbet@lwn.net>
References: <0e229ec4-e3fc-dd46-c5b9-3afa0f14bfcd@gmail.com>
        <87bmw7pm31.fsf@xmission.com>
        <65dd9028-8aa8-123e-ddff-807c44079a50@gmail.com>
        <878trae4g6.fsf@xmission.com>
        <fa9eec50-b634-51e9-fa37-4911010a1496@gmail.com>
        <8737hi5e67.fsf@xmission.com>
        <24b5d73e-0071-6be4-fa5b-391eb8aa0f78@gmail.com>
Date: Thu, 22 Dec 2016 13:27:41 +1300
In-Reply-To: <24b5d73e-0071-6be4-fa5b-391eb8aa0f78@gmail.com> (Michael
        Kerrisk's message of "Wed, 21 Dec 2016 10:53:00 +0100")
Message-ID: <87a8boq03m.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1cJrHc-0000JL-5g;;;mid=<87a8boq03m.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=101.100.131.98;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1/8TqpSTbzCB8zNIfSF46w9tBtjvx5//g0=
X-SA-Exim-Connect-IP: 101.100.131.98
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.7 XMSubLong Long Subject
        *  1.5 XMNoVowels Alpha-numberic number with no vowels
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        * -3.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
        *      [score: 0.0021]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
        *  0.0 T_TooManySym_02 5+ unique symbols in subject
        *  0.0 T_TooManySym_01 4+ unique symbols in subject
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;"Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 237 ms - load_scoreonly_sql: 0.05 (0.0%),
        signal_user_changed: 4.0 (1.7%), b_tie_ro: 2.8 (1.2%), parse: 0.93 (0.4%),
        extract_message_metadata: 3.4 (1.4%), get_uri_detail_list: 1.57 (0.7%),
        tests_pri_-1000: 4.0 (1.7%), tests_pri_-950: 1.23 (0.5%), tests_pri_-900:
        1.02 (0.4%), tests_pri_-400: 26 (10.9%), check_bayes: 25 (10.4%), b_tokenize:
        7 (3.0%), b_tok_get_all: 10 (4.1%), b_comp_prob: 2.1 (0.9%), b_tok_touch_all:
        3.7 (1.6%), b_finish: 0.70 (0.3%), tests_pri_0: 184 (77.8%),
        check_dkim_signature: 0.60 (0.3%), check_dkim_adsp: 3.0 (1.3%),
        tests_pri_500: 4.1 (1.7%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [PATCH 0/2] Add further ioctl() operations for namespace discovery
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2267
Lines: 56

"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:

> Hi Eric,
>
> On 12/21/2016 01:17 AM, Eric W. Biederman wrote:
>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>> 
>>> Hi Eric,
>>>
>>> On 12/20/2016 09:22 PM, Eric W. Biederman wrote:
>>>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>>>
>>>>> Hello Eric,
>>>>>
>>>>> On 12/19/2016 11:53 PM, Eric W. Biederman wrote:
>>>>>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>>>>>

>> Now the question becomes who are the users of this?  Because it just
>> occurred to me that we now have an interesting complication.  Userspace
>> extending the meaning of the capability bits, and using to protect
>> additional things.  Ugh.  That could be a maintenance problem of another
>> flavor.  Definitely not my favorite.
>
> I don't follow you here. Could you say some more about what you mean?

I have seen user space userspace do thing such as extend CAP_SYS_REBOOT
to things such as permission to invoke "shutdown -r now".  Which
depending on what a clean reboot entails could be greately increasing
the scope of CAP_SYS_REBOOT.

I am concerned for that and similar situations that userspace
applications could lead us into situation that one wrong decision could
wind up being an unfixable mistake because fixing the mistake would
break userspsace.

>> So why are we asking the questions about what permissions a process has?
>
> My main interest here is monitoring/discovery/debugging on a running
> system. NS_GET_PARENT, NS_GET_USERNS, NS_GET_CREATOR_UID, and 
> NS_GET_NSTYPE provide most of what I'd like to see. Being able to ask
> "does this process have permissions in that namespace?" would be nice 
> to have in terms of understanding/debugging a system.

If we are just looking at explanations then I seem to have been
over-engineering things.  So let's just aim at the two ioctls.
Or at least the information in those ioctls.

With at least a comment on the ioctl returning the OWNER_UID that
describes why it is not a problem to if the owners uid is something like
((uid_t)-3).  Which overlaps with the space for error return codes.

I don't know if we are fine or not, but that review comment definitely
deserves some consideration.

Eric