1. 13 Feb, 2015 1 commit
    • Pavel Emelyanov's avatar
      usernsd: The way to restore priviledged stuff in userns · b8556e80
      Pavel Emelyanov authored
      We have collected a good set of calls that cannot be done inside
      user namespaces, but we need to [1]. Some of them has already
      being addressed, like prctl mm bits restore, but some are not.
      
      I'm pretty sceptical about the ability to relax the security
      checks on quite a lot of them (e.g. open-by-handle is indeed a
      very dangerous operation if allowed to unpriviledged user), so
      we need some way to call those things even in user namespaces.
      
      The good news about it its that all the calls I've found operate
      on file descriptors this way or another. So if we had a process,
      that lived outside of user namespace, we could ask one to do the
      high priority operation we need and exchange the affected file
      descriptor via unix socket.
      
      So the usernsd is the one doing exactly this. It starts before we
      create the user namespace and accepts requests via unix socket.
      Clients (the processes we restore) send him the functions they
      want to call, the descriptor they want to operate on and the
      arguments blob. Optionally, they can request some file descriptor
      back after the call.
      
      In non usernamespace case the daemon is not started and the calls
      are done right in the requestor's process environment.
      
      In the next patch there's an example of how to use this daemon
      to do the priviledged SO_SNDBUFFORCE/_RCVBUFFORCE sockopt on
      a socket.
      
      [1] http://criu.org/UserNamespaceSigned-off-by: 's avatarPavel Emelyanov <xemul@parallels.com>
      Acked-by: 's avatarAndrew Vagin <avagin@openvz.org>
      b8556e80
  2. 10 Feb, 2015 4 commits
  3. 09 Feb, 2015 5 commits
  4. 29 Jan, 2015 4 commits
  5. 28 Jan, 2015 1 commit
  6. 27 Jan, 2015 11 commits
  7. 26 Jan, 2015 2 commits
  8. 23 Jan, 2015 9 commits
  9. 22 Jan, 2015 3 commits