Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp898983imd; Thu, 1 Nov 2018 07:17:30 -0700 (PDT) X-Google-Smtp-Source: AJdET5duLri9HWLFRlRnx/tPt72zk7SAL0GIkvXWcW76CD3AkCypnk5thmzJNAWFWscFJBOgI5nO X-Received: by 2002:a63:4a4a:: with SMTP id j10-v6mr7500910pgl.0.1541081850808; Thu, 01 Nov 2018 07:17:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541081850; cv=none; d=google.com; s=arc-20160816; b=uH1i2bSiDguxxc7/jvz/cWyv/OWf8zImKpOxFeuAh/YoNnmKFF1NzYM/Svxu3/y6MC LNYPUzfELhcuvfJLLtCpN924A5hVwUobbLlTQGcKdVQD8D7uUHC086bjJb22S9Trf7EH X7UmqKwJ5+EqRnHz+uIIRbSfVgDknlUzMaoMqa/WQTQKir/yFo16ctIKNjJFvYO1ozZ5 wzl6X7REDaumtNNUAB6eS7TCt3IcqEZSjQBU8nLOdoJ7DPK78JvoN1ki9jIisFCUcRyr c7qHjeQGXrjjXo1LdM7nE2y119i3ziPm12pb1e/1kPO9W+E2S5mZYqMqIyVHV+vSeba3 apPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from; bh=aESTbVa6T5W6B5HqQz+KvCnPUPyxOZ4EfW0TolRvcD0=; b=SMZnO3uVjqjlyXbXem8N1rvFy38Occ0aFJfQL+WaEQObBNAptzkvCByVwHNPSnYfwg L3dpkzUX4XszjqQJIbL3BJqzFAdIvF90doVAyQWQXpia5MtoefxAZNbwRcyKwi6X4WLK tuLBs2TuHNth7aOZjTD3S35tng3B6vxWW2aRL9jpyrcgnaUzYcvKgjhtTxMJJMQbgcDo oeOaBgxfolWHxbGzFi2RqpF+r5xDbrV2o9B0Uttg9AYewvt00zjnisKl4NTl+Hb5NDVN UjsxIhHu4B3s0BbVwyBc+TvJhdYQ1aU16G9WHqn8kiCHZ9ghPC7jkp/riVFrO8Q9r+Yp Wwcw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k8-v6si22233090pgj.192.2018.11.01.07.17.15; Thu, 01 Nov 2018 07:17:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728441AbeKAXUD (ORCPT + 99 others); Thu, 1 Nov 2018 19:20:03 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:43858 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727976AbeKAXUC (ORCPT ); Thu, 1 Nov 2018 19:20:02 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1gIDmG-0000fQ-7d; Thu, 01 Nov 2018 08:16:52 -0600 Received: from 67-3-154-154.omah.qwest.net ([67.3.154.154] helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1gIDm0-0006Zm-G8; Thu, 01 Nov 2018 08:16:51 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Laurent Vivier Cc: Jann Horn , James Bottomley , kernel list , Linux API , containers@lists.linux-foundation.org, dima@arista.com, Al Viro , linux-fsdevel@vger.kernel.org References: <20181010161430.11633-1-laurent@vivier.eu> <7ed6f823-547b-922d-59ff-aba9c4c3ab39@vivier.eu> <1541041159.4632.6.camel@HansenPartnership.com> Date: Thu, 01 Nov 2018 09:16:04 -0500 In-Reply-To: (Laurent Vivier's message of "Thu, 1 Nov 2018 13:28:19 +0100") Message-ID: <87zhusq3x7.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1gIDm0-0006Zm-G8;;;mid=<87zhusq3x7.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=67.3.154.154;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18mBMajEjWpwLtYY4VwS2HOfEP0PAvu5tc= X-SA-Exim-Connect-IP: 67.3.154.154 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa06.xmission.com X-Spam-Level: X-Spam-Status: No, score=-0.2 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01 autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4829] * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Laurent Vivier X-Spam-Relay-Country: X-Spam-Timing: total 15032 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 4.7 (0.0%), b_tie_ro: 3.7 (0.0%), parse: 0.82 (0.0%), extract_message_metadata: 14 (0.1%), get_uri_detail_list: 1.41 (0.0%), tests_pri_-1000: 3.3 (0.0%), tests_pri_-950: 1.28 (0.0%), tests_pri_-900: 1.08 (0.0%), tests_pri_-90: 27 (0.2%), check_bayes: 25 (0.2%), b_tokenize: 8 (0.1%), b_tok_get_all: 8 (0.1%), b_comp_prob: 2.9 (0.0%), b_tok_touch_all: 3.5 (0.0%), b_finish: 0.67 (0.0%), tests_pri_0: 177 (1.2%), check_dkim_signature: 0.49 (0.0%), check_dkim_adsp: 4.0 (0.0%), tests_pri_10: 2.2 (0.0%), tests_pri_500: 14799 (98.4%), poll_dns_idle: 14784 (98.4%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v6 0/1] ns: introduce binfmt_misc namespace X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Laurent Vivier writes: > On 01/11/2018 04:51, Jann Horn wrote: >> On Thu, Nov 1, 2018 at 3:59 AM James Bottomley >> wrote: >>> >>> On Tue, 2018-10-16 at 11:52 +0200, Laurent Vivier wrote: >>>> Hi, >>>> >>>> Any comment on this last version? >>>> >>>> Any chance to be merged? >>> >>> I've got a use case for this: I went to one of the Graphene talks in >>> Edinburgh and it struck me that we seem to keep reinventing the type of >>> sandboxing that qemu-user already does. However if you want to do an >>> x86 on x86 sandbox, you can't currently use the binfmt_misc mechanism >>> because that has you running *every* binary on the system emulated. >>> Doing it per user namespace fixes this problem and allows us to at >>> least cut down on all the pointless duplication. >> >> Waaaaaait. What? qemu-user does not do "sandboxing". qemu-user makes >> your code slower and *LESS* secure. As far as I know, qemu-user is >> only intended for purposes like development and testing. >> > > I think the idea here is not to run qemu, but to use an interpreter > (something like gVisor) into a container to control the binaries > execution inside the container without using this interpreter on the > host itself (container and host shares the same binfmt_misc > magic/mask). Please remind me of this patchset after the merge window is over, and if there are no issues I will take it via my user namespace branch. Last I looked I had a concern that some of the permission check issues were being papered over by using override cred instead of fixing the deaper code. Sometimes they are necessary but seeing work-arounds instead of fixes for problems tends to be a maintenance issue, possibly with security consequences. Best is if the everyone agrees on how all of the interfaces work so their are no surprises. Eric