From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm@xmission.com (Eric W. Biederman) Subject: Re: [REVIEW][PATCH 1/2] userns: Better restrictions on when proc and sysfs can be mounted Date: Sat, 31 Aug 2013 21:45:11 -0700 Message-ID: <87eh99noa0.fsf@xmission.com> References: <878uzmhkqg.fsf@xmission.com> <87a9k2g5la.fsf@xmission.com> Mime-Version: 1.0 Content-Type: text/plain Cc: Linux Containers , "Serge E. Hallyn" , Linux FS Devel , "linux-kernel\@vger.kernel.org" To: Andy Lutomirski Return-path: Received: from out03.mta.xmission.com ([166.70.13.233]:46652 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753369Ab3IAEpW (ORCPT ); Sun, 1 Sep 2013 00:45:22 -0400 In-Reply-To: <87a9k2g5la.fsf@xmission.com> (Eric W. Biederman's message of "Tue, 27 Aug 2013 14:57:05 -0700") Sender: linux-fsdevel-owner@vger.kernel.org List-ID: ebiederm@xmission.com (Eric W. Biederman) writes: > Andy Lutomirski writes: > >> On Tue, Aug 27, 2013 at 2:44 PM, Eric W. Biederman >> wrote: >>> >>> Rely on the fact that another flavor of the filesystem is already >>> mounted and do not rely on state in the user namespace. >> >> Possibly dumb question: does this check whether the pre-existing mount >> has hidepid set? > > Not currently. > > It may be worth doing something with respect to hidepid. I forget what > hidepid tries to do, and I need to dash. But feel free to cook up a > follow on patch. So I have thought about this a bit more. hidepid hides the processes that ptrace_may_access will fail on. You can only reach the point where an unprivileged mount of a pid namespace is possible if you have created both a user namespace and a pid namespace. Which means the creator of the pid namespace will be capable of ptracing all of the other processes in the pid namespace (ignoring setns). So I don't see a point of worry about hidepid or the hidepid gid on child pid namespaces. The cases it is attempting to protecting against really don't exist. Eric