From: Seth Forshee <seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: "Linus Torvalds"
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
"Linux Containers"
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
"Linux API" <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"Andy Lutomirski" <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
"Richard Weinberger" <richard-/L3Ra7n9ekc@public.gmane.org>,
"Kenton Varda" <kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org>,
"Michael Kerrisk-manpages"
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
"Stéphane Graber"
<stgraber-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
"Eric Windisch"
<ewindisch-FCduhRhOUaTQT0dZR+AlfA@public.gmane.org>,
"Greg Kroah-Hartman"
<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>,
"Tejun Heo" <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"Omar Sandoval" <osandov-nWWhXC5lh1RBDgjK7y7TUQ@public.gmane.org>,
"Ivan Delalande" <colona-nzgTgzXrdUbQT0dZR+AlfA@public.gmane.org>
Subject: Re: [GIT PULL] User namespace related fixes for v4.2
Date: Mon, 6 Jul 2015 17:25:15 -0500 [thread overview]
Message-ID: <20150706222515.GA131277@ubuntu-hedt> (raw)
In-Reply-To: <E81DECCD-9B19-4D42-BE43-5987DE7B05DB-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
On Mon, Jul 06, 2015 at 04:24:00PM -0500, Eric W. Biederman wrote:
>
>
> On July 6, 2015 3:47:48 PM CDT, Seth Forshee <seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org> wrote:
> >On Wed, Jul 01, 2015 at 03:41:37PM -0500, Eric W. Biederman wrote:
> >> This set of changes also starts enforcing the mount flags of fresh
> >> mounts of proc and sysfs are consistent with the existing mount of
> >proc
> >> and sysfs. I expected this to be the boring part of the work but
> >> unfortunately unprivileged userspace winds up mounting fresh copies
> >of
> >> proc and sysfs with noexec and nosuid clear when root set those flags
> >on
> >> the previous mount of proc and sysfs. So for now only the atime,
> >> read-only and nodev attributes which userspace happens to keep
> >> consistent are enforced. Dealing with the noexec and nosuid
> >attributes
> >> remains for another time.
> >
> >Sorry to be the bearer of bad news, but I am seeing a regression in lxc
> >with 4.2-rc1 due to this change. lxc is doing a fresh mount of sysfs
> >that never specifies either read-only or nodev regardless of how sysfs
> >has been mounted previously, and this is causing me to see mount
> >failures because of the nodev check.
> >
> >If I comment out only the nodev check then the mount works on my
> >system,
> >but based on the code in lxc I don't think there's any guarantee at all
> >of this mount having flags consistent with previous mounts.
>
> Seth you are testing your inprogress patchset that
> modifies how nodev works aren't you?
>
> In rc1 nodev is always forced on a mount in a user namespace.
>
> There is a fairly easy fix to the nodev cleanup in your
> patchset, but it takes a few lines of code change in
> fs_fully_visible. Essentially after we get the better
> nodev enforcement, fs_fully_visible does not need
> to bother with nodev.
Drat, you're right. I built an unmodified 4.2-rc1 but I apparently I had
booted to the wrong kernel when I thought I was testing it. Without the
extra patches it's fine; sorry for the noise.
Seth
next prev parent reply other threads:[~2015-07-06 22:25 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-26 20:50 [GIT PULL] User namespace related fixes for v4.2 Eric W. Biederman
[not found] ` <87381eyz26.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-06-29 16:43 ` Linus Torvalds
2015-07-01 20:41 ` Eric W. Biederman
2015-07-06 20:47 ` Seth Forshee
2015-07-06 21:24 ` Eric W. Biederman
[not found] ` <E81DECCD-9B19-4D42-BE43-5987DE7B05DB-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2015-07-06 22:25 ` Seth Forshee [this message]
2015-07-06 22:25 ` Seth Forshee
2015-07-06 21:24 ` Eric W. Biederman
[not found] ` <878uazhapq.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-06 20:47 ` Seth Forshee
2015-06-29 16:43 ` Linus Torvalds
[not found] ` <CA+55aFysKDXr2HEwNzm3z9QOw=E4ZeWcvYQ-xLhy5_k+rGbeRg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-06-29 21:13 ` Eric W. Biederman
2015-07-03 22:10 ` Linus Torvalds
[not found] ` <CA+55aFw-DK-xDC-3HYa=BMX8WNyQgT9O01tihrAS9+-7PPj_jA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-07-04 23:11 ` Al Viro
[not found] ` <20150704231118.GT17109-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-07-10 16:16 ` [REVIEW][PATCH 0/2] noexec on proc and sysfs Eric W. Biederman
2015-07-10 16:17 ` [REVIEW][PATCH 1/2] vfs: Commit to never having exectuables " Eric W. Biederman
[not found] ` <87h9pcyokc.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-10 18:24 ` Richard Weinberger
[not found] ` <55A00DE9.7060806-/L3Ra7n9ekc@public.gmane.org>
2015-07-10 19:30 ` Greg Kroah-Hartman
[not found] ` <20150710193052.GB19824-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2015-07-10 19:38 ` Richard Weinberger
[not found] ` <55A01F4B.9010205-/L3Ra7n9ekc@public.gmane.org>
2015-07-10 20:00 ` Eric W. Biederman
2015-07-10 20:00 ` Eric W. Biederman
2015-07-10 19:38 ` Richard Weinberger
2015-07-10 19:30 ` Greg Kroah-Hartman
[not found] ` <87mvz4yomp.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-10 16:17 ` Eric W. Biederman
2015-07-10 16:18 ` [REVIEW][PATCH 2/2] mnt: fs_fully_visible enforce noexec and nosuid if !SB_I_NOEXEC Eric W. Biederman
2015-07-10 16:16 ` [REVIEW][PATCH 0/2] noexec on proc and sysfs Eric W. Biederman
[not found] ` <87pp4eqktr.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-03 22:10 ` [GIT PULL] User namespace related fixes for v4.2 Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150706222515.GA131277@ubuntu-hedt \
--to=seth.forshee-z7wlfzj8ewms+fvcfc7uqw@public.gmane.org \
--cc=colona-nzgTgzXrdUbQT0dZR+AlfA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=ewindisch-FCduhRhOUaTQT0dZR+AlfA@public.gmane.org \
--cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=osandov-nWWhXC5lh1RBDgjK7y7TUQ@public.gmane.org \
--cc=richard-/L3Ra7n9ekc@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=stgraber-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.