Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp37532imb;
        Thu, 28 Feb 2019 15:13:59 -0800 (PST)
X-Google-Smtp-Source: AHgI3IbOH3xPCTFoA32dAFErbN2/a/1Gql1Bek9vGDEBv3PlkYlcg9unNlRnhYB15Acs6LnLsOQC
X-Received: by 2002:a62:f201:: with SMTP id m1mr2202277pfh.97.1551395639689;
        Thu, 28 Feb 2019 15:13:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551395639; cv=none;
        d=google.com; s=arc-20160816;
        b=HbTvfxUUrvWl4h9COdv9btf3rLWWMsFytjq0qTYM/lrTPl1R/g4NUVFZJZsA39KJC/
         sVZS3jU6l/pmEB6S3F+8bSCoho8XeUOL9shbzX7EAyVi5fDECg3Y+oFKMradprTIErXF
         0Ru5ghE4UcsdlJ7aB+7KDwz7XUjkB8x35tWWUxyidxqAV8C0dOYeUCd+dAD9pYo/zjy6
         zdGbveetzjbKC59CBM4m9OuWZM44cSV7MItXujaN0lcqHOx9IU7zBoCXkk3+FDUkzIhf
         4gKkoaC8O/F/CFs51Vuqm+Flfn7vOFyZNdujl5f+JNGk8u8DOOCDpapR8PiX3Re1oUwq
         x+HQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :mime-version:dkim-signature;
        bh=nycqOmeNUKBjRiU6n5X5vbwpiEK+Qw7NbSaLdjcSOjw=;
        b=dcMqkC7JCzq945SX4yF4dcQ84J0SdtbMd7o/kIaPUMqDA9Kt1xch0HuZskeNYLfhYo
         8tgjvhAFSue+QdK7spGimg/q2p7mwYVQY2AqQNHVWxKrhq2dKaWt02mOPvEaqA8XIDiV
         vBFhgzCC0TPeYgGI/4P28t8J/QjooF+ZHjUKnRHPodoueNp66AKsrpNgJlSpVnNZ2YBK
         7qtCvJfPIYLY52qOGf/7p8OjYeIweL5njlAZ/SgJWfIi2aMtYvAuNVfQD2chmNn//VBG
         w5wiK46dsUOPLZOzn0cK7/UTcTN9ki/MkUKsPw74E0DMdQIDCx255DclDHi7dNZfEncA
         sHNQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Tz16v9Jq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u26si12992030pgn.216.2019.02.28.15.13.44;
        Thu, 28 Feb 2019 15:13:59 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Tz16v9Jq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387647AbfB1T1y (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Thu, 28 Feb 2019 14:27:54 -0500
Received: from mail-it1-f177.google.com ([209.85.166.177]:38870 "EHLO
        mail-it1-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726271AbfB1T1w (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 Feb 2019 14:27:52 -0500
Received: by mail-it1-f177.google.com with SMTP id l66so17512635itg.3
        for <linux-kernel@vger.kernel.org>; Thu, 28 Feb 2019 11:27:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to:cc;
        bh=nycqOmeNUKBjRiU6n5X5vbwpiEK+Qw7NbSaLdjcSOjw=;
        b=Tz16v9JqT0NV7pFmwB5BVrQ9v3DR28esAH/XtV/EgA+xCfa6n85HWWNYOQrdZ6tIb4
         37XwjDDwes1e0dXWLv9J9nD4nppxuG5xczjn3syRAoajMM6rUYSiaPyrbiBp/qZtQUt+
         dTyRPl5bdtM+5qyxROL218KCNNMBNcqCtKnKHQpArBcdDgT6bRZLQFp+aD0MOup+kjTr
         FjhjJ2BeKEmXsVDJ6sI6vSOF6L2K6wd6ExnxgR38zTPHxpHbbyqOh/uWTRB1HQnKrpiD
         FQYsn4y1SWhMRRYRjr5jQ4mfgcQR6E9rphZBMNDcabZkMAFXnPdmwUgcC6U5npU28sif
         HFKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
        bh=nycqOmeNUKBjRiU6n5X5vbwpiEK+Qw7NbSaLdjcSOjw=;
        b=gFWaUKFeHq+AjvV7zyMzj56PFuvwBbheDJNNxeXAjQS2UvYfHwOf75F24BqT3C8Qmw
         NPImGBT2C4WJy47/qgSgsr6YMEhGte8tcPP0KZVme2jhjk1LAzB1kW1b3EpM+QbJJYaK
         iCimjP5Qj0mXGAxBwj6wRCCQVI1VgGelVbSy/l6cTnzuEfmXmj8SJe1otzlDOenYgTny
         TOEKDLMlb8BGFjbct5N2EXG63q8uJDGxVFEHf+AlZDFPyRTlMBuYBlKkaK+rge1aGJu9
         x3pdd6uixmQQq+4gBj5RhkTf6Q7DVQ2AMyPfzPkCJirjO0bsPat9DTNY6CglxwCiqQnZ
         w7/g==
X-Gm-Message-State: APjAAAWhZyHn39GrkGwoafH9YTATdffhSrCSLDFwiuqKPCYpdN4btZyr
        MRoRT+YO8T5HJUBWd0yuk0BRVsu+MRqAFk4fqccNJw==
X-Received: by 2002:a02:3c07:: with SMTP id m7mr486396jaa.26.1551382070236;
 Thu, 28 Feb 2019 11:27:50 -0800 (PST)
MIME-Version: 1.0
From:   Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Thu, 28 Feb 2019 11:27:38 -0800
Message-ID: <CAKdAkRQj=bSSL2Cw3gAqi5f12yP3+KsvtrMvU4Lcfta_JYxMYQ@mail.gmail.com>
Subject: Allowing mapping supplemental groups in user namespace?
To:     "Eric W. Biederman" <ebiederm@xmission.com>
Cc:     lkml <linux-kernel@vger.kernel.org>,
        "Serge E. Hallyn" <serge@hallyn.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Eric,

Currently, unless caller has CAP_SETGID in parent namespace, we can
only map effective group id in the new user namespace. Would it be
possible to relax this rule to also allow mapping of supplemental
groups (1:1) of the caller?

Thanks.

-- 
Dmitry