[RFC PATCH 00/27] Containers and using authenticated filesystems
David Howells
dhowells at redhat.com
Tue Feb 19 23:42:09 UTC 2019
Eric W. Biederman <ebiederm at xmission.com> wrote:
> So you missed the main mailing lists for discussion of this kind of
> thing
Yeah, sorry about that. I was primarily aiming it at Trond and Steve as I'd
like to consider how to go about interpolating request_key() into NFS and CIFS
so that they can make use of the key-related facilities that this makes
available with AFS. And I was in a bit tight for time to mail it out before
having to go out. I know, excuses... ;-)
> and the maintainer.
That would be me. I maintain keyrings.
No one is listed in MAINTAINERS as owning namespaces. If you feel that should
be you, please add a record.
> Looking at your description you are introducing a container id.
Yes. For audit logging, which was why I cc'd Richard.
> You don't descibe which namespace your contianer id lives in.
It doesn't. Not everything has to have a namespace. As you yourself pointed
out, it should be globally unique, in which case the world is the namespace,
maybe even the universe;-).
> Without the container id living in a container this breaks
> nested containers and process migration aka CRIU.
As long as IDs are globally unique, why should break container migration?
Having a kernel container object might even make CRIU easier.
And what does "Without the container id living in a container" mean anyway? I
have IDs attached to containers. A container can see the IDs of its child
containers. There should be no problem with nesting.
David
More information about the Linux-security-module-archive
mailing list