From: Al Viro <viro@zeniv.linux.org.uk>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Christian Brauner <christian@brauner.io>,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Miklos Szeredi <miklos@szeredi.hu>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: Regression in 5.3 for some FS_USERNS_MOUNT (aka user-namespace-mountable) filesystems
Date: Sat, 27 Jul 2019 14:17:17 +0100 [thread overview]
Message-ID: <20190727131717.GQ1131@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20190727123705.GP1131@ZenIV.linux.org.uk>
On Sat, Jul 27, 2019 at 01:37:05PM +0100, Al Viro wrote:
> > So yes I agree the function of interest is always capable in some form,
> > we just need the filesystem specific logic to check to see if we will
> > have capable over the filesystem that will be mounted.
> >
> > I don't doubt that the new mount api has added a few new complexities.
>
> So far it looks like *in this particular case* complexities would be
> reduced - with one exception all your ->permission() instances become
> identical.
>
> Moreover, even in that case we still get the right overall behaviour
> with the same instance...
PS: For the record
* I obviously agree with your reasoning behind making those checks
fs-dependent (they have to) and with putting them (back then) into
->mount() instances (since that was the first method called)
* I agree (violently) with not liking them done inside ->mount().
* in principle I agree that the stuff like "can that thing
be mounted in non-initial userns" might better off as a method rather
than a flag.
However
* these days filesystem *can* have "which userns should the
capabilities be checked for?" handled outside ->mount(). Setting
fc->user_ns in ->init_fs_context() does just that; the thing is
called first in all cases.
* with that done we get the same logics for all FS_USERNS_MOUNT
filesystems. IOW, all your ->permission() methods would either become
NULL (for !FS_USERNS_MOUNT) or, for all non-NULL, identical to each other.
All variability between them is already taken care of when we set fc->user_ns.
The last one is what makes me somewhat dubious re having that method -
it's literally one bit of information encoded into a function pointer.
Do you anticipate any cases where the thing would *NOT* be of the same
form? I.e. when something is userns-mountable, but the check is not
ns_capable(some userns, CAP_SYS_ADMIN)?
While we are at it, kobj_ns_...() look like preparations to something
that has never fully materialized. What would sysfs mount checks be
supposed to do if we'd ever grown more than one struct kobj_ns_type_operations
instance? Because that looks like the most plausible case of "we might
need trickier ->permission()"...
next prev parent reply other threads:[~2019-07-27 13:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 11:59 Regression in 5.3 for some FS_USERNS_MOUNT (aka user-namespace-mountable) filesystems Christian Brauner
2019-07-26 22:47 ` Linus Torvalds
2019-07-26 23:22 ` Al Viro
2019-07-27 0:46 ` Eric W. Biederman
2019-07-27 2:28 ` Al Viro
2019-07-27 11:20 ` Eric W. Biederman
2019-07-27 12:37 ` Al Viro
2019-07-27 13:17 ` Al Viro [this message]
2019-07-27 2:23 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190727131717.GQ1131@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=christian@brauner.io \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.