Received: by 10.223.185.116 with SMTP id b49csp1086754wrg; Wed, 21 Feb 2018 11:53:25 -0800 (PST) X-Google-Smtp-Source: AH8x227sL20Jk/V4q4vHJbx49DX5fMI2qBNsI5WWImqe/6x7fE6pn9UPVyJyoazGuKUdwbl/cZUS X-Received: by 10.99.181.28 with SMTP id y28mr3697452pge.222.1519242805576; Wed, 21 Feb 2018 11:53:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519242805; cv=none; d=google.com; s=arc-20160816; b=pwfaPE8ih/wcbgiQncVpS9qNxsOIlSwyBZ+/MhX1Mx2t4YbIImB1tA5BRjAQP51nir zsA89gOZq4Av8/BltequLqAMYApPAJhGoxcepfDAGWgc1aCrMo4/94y+sJuH3dRhq17i 38jS9ZIFSFX4+jcVaGC2s10Zov1IiaRj6eZu9KQ0v2fB1RVU7zc70D8qZkuL68dmCwEL ZiKRf0+6JPfzwovUj6OWqN9WoUTpC445U5p3aPGx2PE6TbtCZZIigEQnvWI6TBnqbWaf XFoKxSD/+U0Wvh5vQrbYRxHWkSCP44eDcDxW/Vm7NIaFEzk+/oMmxUPuc/mJjckR0HUA 2tGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=EXmXMHw5bfFrWgmnhkZHwlkwEhvEYyAa8baiM0FE16Q=; b=STcLiKmcWqmVpbiVoDPeiMa815fruCQAXQPC8amWkOmllRyuA6pmN2o2x+ri/+Oo+X yYdZkYiFVURSRolrzi34e99rkYyRb6aN68DVQ612oPwXM7VXQ2d8sqWNKWZQ6B1hoqCM HLpY9pcT5fsd7cz8OrVbQ2olA1VCWQJ13kuTPg+NYwy6ulV/hZP7Jio80Touf5yskmHA boqYbvYKumQNzfO/lW38b0NL+vJ05i1RI8ovCyqJrqPUHUyhYg3KJvVjliWZB/NhCTjv 6CtKmYSKrsmAgpbXbyV3n/P7iu0tYKFZs7NM+dyNdgxEiyCAKHnMtlPhIssvwmmFGGvL 8shw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=kR2XAxWm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q128si115442pga.833.2018.02.21.11.53.10; Wed, 21 Feb 2018 11:53:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=kR2XAxWm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750998AbeBUTwg (ORCPT + 99 others); Wed, 21 Feb 2018 14:52:36 -0500 Received: from mail-io0-f171.google.com ([209.85.223.171]:45162 "EHLO mail-io0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750738AbeBUTwf (ORCPT ); Wed, 21 Feb 2018 14:52:35 -0500 Received: by mail-io0-f171.google.com with SMTP id m22so3385072iob.12; Wed, 21 Feb 2018 11:52:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=EXmXMHw5bfFrWgmnhkZHwlkwEhvEYyAa8baiM0FE16Q=; b=kR2XAxWmoB/Bp1TBtDeW7ulvw8d8Rs9kSR78E9VfYduFiueeIdbZ8mB+D65oCLmTHG lXOf1HFK5Xo/mA12EyTOxl3O/MVNWwp2wCCSiZ5P2i8F61vNQrvBcNzzyudhZKTtvLQI MFmSc1d5bM1wS77ic9C92ZX4T8w9Zz1gSCRdYpeX+MKkR3dXshl886MxICvLBvSShgNo 9DVOCjrhqWUQqD515FLgHNm5vl1LbRWU21axwBEKZCjmcjMneN6cazm1FZmIFoUvvEo0 F1ODR4KosaU77aRUQKiFLejnFJzoypUymV8sdNUGTDJOUZT05RKQZtZA2B6AIspP5gQC eEwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=EXmXMHw5bfFrWgmnhkZHwlkwEhvEYyAa8baiM0FE16Q=; b=CIziP77JCfWBeGvZp3uOCwFTCJiWlHQWAEeKb++4z55epJMzqocybDYBlpZFi6qIlJ SXWKHHMrKTr1fjUFVzn6qk54ctZd+/UazYmyaEXZQBK6+CXTHYzuD81fmUISQ8wqK+jc EjjLY7hSXdjrUCcCwo2q4A5erpEtHG+Tinteh1L0c5DMhyu+EgjPtArn9JW4/0RMSruo 3Of/mW58OnEL+wu2yK0xlpBDCU3Yz8UDGDvk1Q94kqqRPNtkofkJg3jRz1OhGQXuftxQ yA7692eXZwCwwRz55cV3kpbei6GnejXF0H8C6vMvBXJA/jFGPLtMsTgy2k4z0y6kbcOu 3TuA== X-Gm-Message-State: APf1xPAcWGZccgeyCqcpjVJJlZcdGP5yXr8S1ddPY/C8sr/vjNBYoSe+ F6T33Mozerut5kjEvN1zBlrx8aTJFVjLOUK1Psc= X-Received: by 10.107.10.155 with SMTP id 27mr5910776iok.259.1519242754176; Wed, 21 Feb 2018 11:52:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.135.221 with HTTP; Wed, 21 Feb 2018 11:52:33 -0800 (PST) In-Reply-To: <20180221182104.GI3231@tassilo.jf.intel.com> References: <20180215182208.35003-2-joe.konno@linux.intel.com> <6680a760-eb30-4daf-2dad-a9628f1c15a8@kernel.org> <20180220211849.fqjb6rdmypl6opir@agluck-desk> <20180220233008.55rfm7zw62hrao5p@agluck-desk> <3908561D78D1C84285E8C5FCA982C28F7B37DE1B@ORSMSX110.amr.corp.intel.com> <20180221182104.GI3231@tassilo.jf.intel.com> From: Linus Torvalds Date: Wed, 21 Feb 2018 11:52:33 -0800 X-Google-Sender-Auth: 0M1s4uRWixnZBS5V2lUwi6_uW3c Message-ID: Subject: Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions To: Andi Kleen Cc: Ard Biesheuvel , "Luck, Tony" , Joe Konno , "linux-efi@vger.kernel.org" , Linux Kernel Mailing List , Jeremy Kerr , Matthew Garrett , Peter Jones , Andy Lutomirski , James Bottomley Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 21, 2018 at 10:21 AM, Andi Kleen wrote: > > How about uid name spaces? Someone untrusted in a container could > create a lot of uids and switch between them. Anybody who does that deserves whatever the hell they get. You can already blow out a lot of other resources that way. If you can create users indiscriminately enough, you can bypass most other resource limits too. If you think containers protect against security issues from untrusted users, I have a bridge to sell you. Linus