Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp894286imd; Thu, 1 Nov 2018 07:13:43 -0700 (PDT) X-Google-Smtp-Source: AJdET5fvu6zW0TLKZCRhpPduwyX7/5+2v6OvnY//QLYzeYdYiPAsaglX/UK59RzSJPSPuPCIOzpC X-Received: by 2002:a17:902:854c:: with SMTP id d12-v6mr7767537plo.313.1541081623269; Thu, 01 Nov 2018 07:13:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541081623; cv=none; d=google.com; s=arc-20160816; b=vnpmJN7SLOdCHVCIWWHoLddgt1VyKFTSwsaIx5+itE7CqRKeZZOQxT9iPKT4z/sxuX DiLrSuqPN+/8Yp11/PV404tRsoqTmR3/R03IYNy4LjM1H2MujusQGUrO/wpafV9imFBz dDPZnw2g2mPCX6JFeDoTfparAJ4PHdc6rvQqn9BJHj2h0nEoc4FYFB1KGK+Ro1brq0Hj UFMTLFTE85guqVGfV5Hp7a8ucAQkUHTkx906srJJ1w7guyxJp0mYM7+uTywc+oPGwoe2 wi2nMJMYgXeRqTK+PfsDeGVZooTj/fv1vtjmoCy8+Ofc7aqQ3qjVE4c7RWr4PdIrkDY/ XxHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=33S3sTnN/S+MtQmZTmjB+TYpn9t8jijRf4wtHhafi7c=; b=bnsMw/BbLuZZOIStFWCzdnGgfhAuahKrzyT6Kk2Xuj7RxJnwyEv9WiJY93ZchlfvGS zxgsYiV7qVHykR8WcIRkhRnsFKRqZVTzAmdGHUmphXejTn5V3AtiZIEHIzuwSOmd1A6r S8amSpOXXofWuC0nS7UvV1T+I6jD2SJlYClDdcTRTcDEhvzG8FErPu23EHt9hHU/xPzq r/plpDEsdbUu9d5fSjSTHVXhrhuIXbAhp9RZiv3MRE0tQ6uCbUpQ6eFB1gWXHPlljy7r yMaXRiFvJz5RkAWGPMas7Pp1y1omL45A+2MLjoijRGq0kM1Zmq+3DB3eHJXQ67YR5nLM fGKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=rS37x5nr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a8-v6si29112238pgm.331.2018.11.01.07.13.28; Thu, 01 Nov 2018 07:13:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=rS37x5nr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728457AbeKAXNW (ORCPT + 99 others); Thu, 1 Nov 2018 19:13:22 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:50716 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728192AbeKAXNW (ORCPT ); Thu, 1 Nov 2018 19:13:22 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 900AA8EE179; Thu, 1 Nov 2018 07:10:14 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q8slHTOrFVx4; Thu, 1 Nov 2018 07:10:14 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.68.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id E1D8B8EE0BA; Thu, 1 Nov 2018 07:10:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1541081414; bh=eBWW4hk4Zuj7T2PXmMtao8skRRHjYw5FMkF5Zp100pA=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=rS37x5nrxDc8CrbFHv7FiLXhU6BQpqa4MWrtkldNljBc7HPIrYtOVfv8HXvo6Plfh /LpAbnAuDnaNxM/c4OWlubW/f83jNEFgqIGKB4Ouw0y0XooDJXF/xVD5q0M7yrrhvS /zGP3CKrgXQaJi/UKMY+N0Gs+uj8mb31qL3PBhvQ= Message-ID: <1541081413.2853.6.camel@HansenPartnership.com> Subject: Re: [PATCH v6 0/1] ns: introduce binfmt_misc namespace From: James Bottomley To: Jann Horn Cc: Laurent Vivier , kernel list , Linux API , containers@lists.linux-foundation.org, dima@arista.com, Al Viro , linux-fsdevel@vger.kernel.org, "Eric W. Biederman" Date: Thu, 01 Nov 2018 07:10:13 -0700 In-Reply-To: References: <20181010161430.11633-1-laurent@vivier.eu> <7ed6f823-547b-922d-59ff-aba9c4c3ab39@vivier.eu> <1541041159.4632.6.camel@HansenPartnership.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-11-01 at 04:51 +0100, Jann Horn wrote: > On Thu, Nov 1, 2018 at 3:59 AM James Bottomley > wrote: > > > > On Tue, 2018-10-16 at 11:52 +0200, Laurent Vivier wrote: > > > Hi, > > > > > > Any comment on this last version? > > > > > > Any chance to be merged? > > > > I've got a use case for this: I went to one of the Graphene talks > > in Edinburgh and it struck me that we seem to keep reinventing the > > type of sandboxing that qemu-user already does. However if you > > want to do an x86 on x86 sandbox, you can't currently use the > > binfmt_misc mechanism because that has you running *every* binary > > on the system emulated. Doing it per user namespace fixes this > > problem and allows us to at least cut down on all the pointless > > duplication. > > Waaaaaait. What? qemu-user does not do "sandboxing". qemu-user makes > your code slower and *LESS* secure. As far as I know, qemu-user is > only intended for purposes like development and testing. Sandboxing is about protecting the cloud service provider (and other tenants) from horizontal attack by reducing calls to the shared kernel. I think it's pretty indisputable that full emulation is an effective sandbox in that regard. We can argue for about bugginess vs completeness, but technologically qemu-user already has most of the system calls, which seems to be a significant problem with other sandboxes. I also can't dispute it's slower, but that's a tradeoff for people to make. James