patchset to enable user namespaces

Andy Whitcroft apw at canonical.com
Tue Sep 24 09:10:38 UTC 2013


On Mon, Sep 23, 2013 at 05:08:26PM -0500, Serge Hallyn wrote:
> Hi,
> 
> The final patches needed to resolve conflicts between XFS and user
> namespaces are in 3.12.  I've backported them to saucy at
> 
> 	http://kernel.ubuntu.com/git?p=serge/ubuntu-saucy.git;a=summary # m.sep23.xfs2
> 
> This has 7 patches cherrypicked from Linus' tree, one patch by
> myself to add a sysctl, default off, to enable unprivileged use
> of CLONE_NEWUSER, and a packaging patch to set CONFIG_USER_NS=y.

These are pretty big patches to be bringing so late to the party.  I am
particularly concerned that you have missed the beta deadline so we will
be shovelling this into the kernel after the majority of the testing has
been completed.

I assume we need these XFS patches because you cannot enable USER_NS at
all without disabling XFS en-toto, an obvious no-no.  What feature does
this new code enable which would be lost if we don't have them.

On the unpriveleged setup, I presume we are saying upstream will allow
it by default, it is just us who are adding this possible cut off if
there are issues?

As this heavily affects xfs what testing has been done there with your
patches to confirm basic xfs operation after they are applied.  It not
being a default filesystem, we are creating a timebomb for ourselves if
it is not very very well tested.

A few comments on the patches:

 - 981ad1e update changelog for userns patchset

You don't need this one, the changelog is made from the git changelog
when we close the release.

 - cbb5a5a enable user namespaces

This one should have 'UBUNTU: [Config] ' prefix on the patch title as it
is a configuration change.  This lets us track them better on rebase to
the next upstream release.

 - 5c84740 add sysctl to disallow unprivileged CLONE_NEWUSER by default

This one should have 'UBUNTU: SAUCE: (no-up) ' prefix on the patch title
as it is not for upstream.

This hunk seems spurious:

@@ -112,6 +112,7 @@ static const struct bin_table bin_kern_table[] = {
 
        { CTL_INT,      KERN_S390_USER_DEBUG_LOGGING,
"userprocess_debug" },
        { CTL_INT,      KERN_CORE_USES_PID,             "core_uses_pid" },
+       { CTL_INT,      KERN_CORE_USES_PID,             "core_uses_pid" },
        /* KERN_TAINTED "tainted" no longer used */
        { CTL_INT,      KERN_CADPID,                    "cad_pid" },
        { CTL_INT,      KERN_PIDMAX,                    "pid_max" },


 - 0851149 enable building user namespace with xfs
 - 8a83c60 xfs: add capability check to free eofblocks ioctl
 - 82636ae xfs: create internal eofblocks structure with kuid_t types
 - d1f6afd xfs: convert kuid_t to/from uid_t for internal structures
 - 387e013 xfs: ioctl check for capabilities in the current user namespace
 - 7cc6cc5 xfs: convert kuid_t to/from uid_t in ACLs
 - 8f86682 xfs: create wrappers for converting kuid_t to/from uid_t

All of these I assume are either cherry-picks or backports of specific
commits which hit the merge window for v3.12-rc1.  In which case they
should each have the normal:

  (cherry-picked from commit xxxxx)
or
  (backported from commit xxxxx)

at the bottom after the existing s-o-b section, and they should be signed
off by you as you are vouching for them.

Obviously we are particularly interested in those which you have had to
modify to backport them if any.

-apw




More information about the kernel-team mailing list