From: Al Viro <viro@ZenIV.linux.org.uk>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Linux FS Devel <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>
Subject: Re: Connecting to sockets on MNT_READONLY mounts?
Date: Fri, 2 May 2014 00:51:35 +0100 [thread overview]
Message-ID: <20140501235135.GE18016@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CALCETrXaXsVxaT3TH-CC8DKyDU7k=i9Y5PqBqaSDnH+2rr5E2A@mail.gmail.com>
On Thu, May 01, 2014 at 04:00:49PM -0700, Andy Lutomirski wrote:
> On Thu, May 1, 2014 at 3:34 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> > On Thu, May 01, 2014 at 03:20:00PM -0700, Andy Lutomirski wrote:
> >> Is it supposed to work?
> >
> > Why the hell not? Same as opening a device node on r/o filesystem for
> > write, or doing the same with FIFO.
>
> You can't bind a socket on a read-only fs, so I thought it was a fair question.
>
> I'll write a patch to add MS_NOIPCCONNECT and MNT_NOIPCCONNECT to
> block connect on unix sockets and open on fifos. This will be useful
> for sandboxes that want to prevent sandboxed programs from accessing
> undesirable parts of the outside world.
Sigh... Don't expose those FIFOs et.al. to them, then.
mount --bind /dev/null <pathname>
as part of setting the sucker up. And if you *are* blindly exposing the
host filesystems to them wholesale, sockets and fifos are the least of your
problems, even if you do that read-only.
next prev parent reply other threads:[~2014-05-01 23:51 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-01 22:20 Connecting to sockets on MNT_READONLY mounts? Andy Lutomirski
2014-05-01 22:34 ` Al Viro
2014-05-01 23:00 ` Andy Lutomirski
2014-05-01 23:51 ` Al Viro [this message]
2014-05-01 23:57 ` Andy Lutomirski
2014-05-02 0:56 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140501235135.GE18016@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.