From: Jan Kara <jack@suse.cz>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Mike Snitzer <snitzer@redhat.com>,
Seth Forshee <seth.forshee@canonical.com>,
Kent Overstreet <kent.overstreet@gmail.com>,
Alasdair Kergon <agk@redhat.com>,
dm-devel@redhat.com, Neil Brown <neilb@suse.com>,
David Woodhouse <dwmw2@infradead.org>,
Brian Norris <computersforpeace@gmail.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Jan Kara <jack@suse.com>, Jeff Layton <jlayton@poochiereds.net>,
"J. Bruce Fields" <bfields@fieldses.org>,
Serge Hallyn <serge.hallyn@canonical.com>,
Andy Lutomirski <luto@amacapital.net>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org,
linux-bcache@vger.kernel.org, linux-raid@vger.kernel.org
Subject: Re: [PATCH 1/5] fs: Verify access of user towards block device file when mounting
Date: Fri, 2 Oct 2015 01:07:00 +0200 [thread overview]
Message-ID: <20151001230700.GA10087@quack.suse.cz> (raw)
In-Reply-To: <87wpv6a8hl.fsf@x220.int.ebiederm.org>
On Thu 01-10-15 10:55:50, Eric W. Biederman wrote:
> The goal if possible is to run things like docker without needed to be
> root or even more fun to run docker in a container, and in general
> enable nested containers.
Frankly at the filesystem side we are rather far from being able to safely
mount untrusted device and I don't think we'll ever be robust enough to
tolerate e.g. user changing the disk while fs is using it. So would this be
FUSE-only thing or is someone still hoping that general purpose filesystems
will be robust enough in future?
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
next prev parent reply other threads:[~2015-10-01 23:07 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-30 20:15 [PATCH 0/5] User namespace mount updates Seth Forshee
2015-09-30 20:15 ` [PATCH 1/5] fs: Verify access of user towards block device file when mounting Seth Forshee
2015-09-30 23:42 ` Mike Snitzer
2015-10-01 12:55 ` Seth Forshee
2015-10-01 13:40 ` Mike Snitzer
2015-10-01 14:41 ` Seth Forshee
2015-10-08 15:41 ` Seth Forshee
2015-10-01 15:55 ` Eric W. Biederman
2015-10-01 23:07 ` Jan Kara [this message]
2015-10-05 14:26 ` Seth Forshee
2015-10-01 15:40 ` Eric W. Biederman
2015-10-01 15:55 ` Seth Forshee
2015-09-30 20:15 ` [PATCH 2/5] fs: Treat foreign mounts as nosuid Seth Forshee
2015-09-30 20:15 ` [PATCH 3/5] selinux: Add support for unprivileged mounts from user namespaces Seth Forshee
2015-09-30 20:15 ` [PATCH 4/5] userns: Replace in_userns with current_in_userns Seth Forshee
2015-09-30 20:15 ` [PATCH 5/5] Smack: Handle labels consistently in untrusted mounts Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151001230700.GA10087@quack.suse.cz \
--to=jack@suse.cz \
--cc=agk@redhat.com \
--cc=bfields@fieldses.org \
--cc=computersforpeace@gmail.com \
--cc=dm-devel@redhat.com \
--cc=dwmw2@infradead.org \
--cc=ebiederm@xmission.com \
--cc=jack@suse.com \
--cc=jlayton@poochiereds.net \
--cc=kent.overstreet@gmail.com \
--cc=linux-bcache@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-raid@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=neilb@suse.com \
--cc=selinux@tycho.nsa.gov \
--cc=serge.hallyn@canonical.com \
--cc=seth.forshee@canonical.com \
--cc=snitzer@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.