From: Serge Hallyn <serge.hallyn@canonical.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: lkml <linux-kernel@vger.kernel.org>,
Andy Whitcroft <apw@canonical.com>,
Andrew Morton <akpm@linux-foundation.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Dave Hansen <haveblue@us.ibm.com>,
linux-security-module@vger.kernel.org,
Linux Containers <containers@lists.osdl.org>,
St?phane Graber <stgraber@ubuntu.com>,
Daniel Lezcano <daniel.lezcano@free.fr>
Subject: Re: prevent containers from turning host filesystem readonly
Date: Fri, 10 Feb 2012 21:57:06 -0600 [thread overview]
Message-ID: <20120211035705.GA5563@sergelap> (raw)
In-Reply-To: <20120211033732.GK23916@ZenIV.linux.org.uk>
Quoting Al Viro (viro@ZenIV.linux.org.uk):
> On Fri, Feb 10, 2012 at 09:19:39PM -0600, Serge Hallyn wrote:
> > When a container shuts down, it likes to do 'mount -o remount,ro /'.
> > That sets the superblock's readonly flag, not the mount's. So unless
> > the mount action fails for some reason (i.e. a file is held open on
> > the fs), if the container's rootfs is just a directory on the host's
> > fs, the host fs will be marked readonly.
> >
> > Thanks to Dave Hansen for pointing out how simple the fix can be. If
> > the devices cgroup denies the mounting task write access to the
> > underlying superblock (as it usually does when the container's root fs
> > is on a block device shared with the host), then it do_remount_sb should
> > deny the right to change mount flags as well.
> >
> > This patch adds that check.
> >
> > Note that another possibility would be to have the LSM step in. We
> > can't catch this (as is) at the LSM level because security_remount_sb
> > doesn't get the mount flags, so we can't distinguish
> > mount -o remount,ro
> > from
> > mount --bind -o remount,ro.
> > Sending the flags to that hook would probably be a good idea in addition
> > to this patch, but I haven't done it here.
>
> NAK. This is just plain wrong - what about the filesystems that are not
> bdev-backed or, as e.g. btrfs, sit on more than one device?
>
> <comments about inadequacy of cgroup as an API censored - far too unprintable>
Drat.
Would passing the mount flags from do_remount() to security_sb_remount()
be acceptable? Then at least the LSM could distinguish and act
accordingly.
Thanks for looking.
-serge
next prev parent reply other threads:[~2012-02-11 3:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-11 3:19 prevent containers from turning host filesystem readonly Serge Hallyn
2012-02-11 3:37 ` Al Viro
2012-02-11 3:57 ` Serge Hallyn [this message]
2012-02-11 4:07 ` Serge Hallyn
2012-02-11 19:07 ` Eric W. Biederman
2012-02-11 20:28 ` Serge E. Hallyn
2012-02-12 4:27 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120211035705.GA5563@sergelap \
--to=serge.hallyn@canonical.com \
--cc=akpm@linux-foundation.org \
--cc=apw@canonical.com \
--cc=containers@lists.osdl.org \
--cc=daniel.lezcano@free.fr \
--cc=ebiederm@xmission.com \
--cc=haveblue@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=stgraber@ubuntu.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.