----- Ursprüngliche Mail -----
On Tue, Apr 30, 2013 at 12:07:33PM +0200, Richard RW. Weinberger
wrote:
> ----- Ursprüngliche Mail -----
> > > We'd like to use libvirt for managing our lxc machines.
> > > Currently libvirt lacks of user namespace support.
> > > Is anyone working on that? Otherwise David and I will implement
> > > it
> > > and send patches very soon.
> >
> > There were some people at Fujitsu who have done a little work on
> > it.
> > They posted some very basic patches a month or two ago, but not
> > heard
> > more since then, so don't know if any progress has been made by
> > them.
>
> Found the patches. :)
> They do mostly the same what our preliminary userns support does.
> 1. Add support for uid/gid mappings.
> 2. Don't mount disallowed files systems in the userns.
> 3. Create devices nodes outside of the userns.
>
> What we still need to consider is how to deal with capability
> dropping.
> Daniel, do you have any plans how to support this?
> Using securebits would be a good idea.
We already have to deal with that - we allow all capabilities
except for CAP_MKNOD, SYS_MODULE, SYS_TIME, AUDIT_CONTROL
and MAC_ADMIN currently. If user namespaces are active, we
might be able to actually relax that and allow more of them.
TBD.
So, you are currently limiting the bounding set?
If you just drop capabilties and then execve() something as uid 0,
which is the case for user namespaces, it will regain all
capabilities.
Thanks,
//richard