From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Richard Weinberger
<richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: "libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org"
<libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
linux-fsdevel
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linus Torvalds
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Subject: Re: [GIT PULL] namespace updates for v3.17-rc1
Date: Wed, 20 Aug 2014 21:53:49 -0700 [thread overview]
Message-ID: <87vbpm4f4y.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CAFLxGvwi-iJRyfwv8v9fcRkiSu2d-az8W55xMPbp_d8wQKmwjg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Richard Weinberger's message of "Wed, 20 Aug 2014 17:06:59 +0200")
Richard Weinberger <richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
> On Wed, Aug 6, 2014 at 2:57 AM, Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> wrote:
>
> This commit breaks libvirt-lxc.
> libvirt does in lxcContainerMountBasicFS():
The bugs fixed are security issues, so if we have to break a small
number of userspace applications we will. Anything that we can
reasonably do to avoid regressions will be done.
Could you please look at my user-namespace.git#for-next branch I have a
fix for at least one regresion causing issue in there. I think it may
fix your issues but I am not fully certain more comments below.
> /*
> * We can't immediately set the MS_RDONLY flag when mounting filesystems
> * because (in at least some kernel versions) this will propagate back
> * to the original mount in the host OS, turning it readonly too. Thus
> * we mount the filesystem in read-write mode initially, and then do a
> * separate read-only bind mount on top of that.
> */
> bindOverReadonly = !!(mnt_mflags & MS_RDONLY);
>
> VIR_DEBUG("Mount %s on %s type=%s flags=%x",
> mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY);
> if (mount(mnt_src, mnt->dst, mnt->type, mnt_mflags &
> ~MS_RDONLY, NULL) < 0) {
>
> ^^^^ Here it fails for sysfs because with user namespaces we bind the
> existing /sys into the container
> and would have to read out all existing mount flags from the current /sys mount.
> Otherwise mount() fails with EPERM.
> On my test system /sys is mounted with
> "rw,nosuid,nodev,noexec,relatime" and libvirt
> misses the realtime...
Not specifying any atime flags to mount should be safe as that asks for
the default atime flags which for remount I have made the default atime
flags the existing atime flags. So I am scratching my head a little on
this one.
>
> virReportSystemError(errno,
> _("Failed to mount %s on %s type %s flags=%x"),
> mnt_src, mnt->dst, NULLSTR(mnt->type),
> mnt_mflags & ~MS_RDONLY);
> goto cleanup;
> }
>
> if (bindOverReadonly &&
> mount(mnt_src, mnt->dst, NULL,
> MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
>
> ^^^ Here it fails because now we'd have to specify all flags as used
> for the first
> mount. For the procfs case MS_NOSUID|MS_NOEXEC|MS_NODEV.
> See lxcBasicMounts[].
> In this case the fix is easy, add mnt_mflags to the mount flags.
That has always been a bug in general because remount has always
required specifying the complete set of mount flags you want to have.
That fact that flags such as nosuid are now properly locked so you can
not change them if you are not the global root user just makes this
obvious.
Andy Lutermorski has observed that statvfs will return the mount flags
making reading them simple.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Richard Weinberger <richard.weinberger@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Linux Containers <containers@lists.linux-foundation.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"libvir-list\@redhat.com" <libvir-list@redhat.com>,
"Daniel P. Berrange" <berrange@redhat.com>
Subject: Re: [GIT PULL] namespace updates for v3.17-rc1
Date: Wed, 20 Aug 2014 21:53:49 -0700 [thread overview]
Message-ID: <87vbpm4f4y.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CAFLxGvwi-iJRyfwv8v9fcRkiSu2d-az8W55xMPbp_d8wQKmwjg@mail.gmail.com> (Richard Weinberger's message of "Wed, 20 Aug 2014 17:06:59 +0200")
Richard Weinberger <richard.weinberger@gmail.com> writes:
> On Wed, Aug 6, 2014 at 2:57 AM, Eric W. Biederman <ebiederm@xmission.com> wrote:
>
> This commit breaks libvirt-lxc.
> libvirt does in lxcContainerMountBasicFS():
The bugs fixed are security issues, so if we have to break a small
number of userspace applications we will. Anything that we can
reasonably do to avoid regressions will be done.
Could you please look at my user-namespace.git#for-next branch I have a
fix for at least one regresion causing issue in there. I think it may
fix your issues but I am not fully certain more comments below.
> /*
> * We can't immediately set the MS_RDONLY flag when mounting filesystems
> * because (in at least some kernel versions) this will propagate back
> * to the original mount in the host OS, turning it readonly too. Thus
> * we mount the filesystem in read-write mode initially, and then do a
> * separate read-only bind mount on top of that.
> */
> bindOverReadonly = !!(mnt_mflags & MS_RDONLY);
>
> VIR_DEBUG("Mount %s on %s type=%s flags=%x",
> mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY);
> if (mount(mnt_src, mnt->dst, mnt->type, mnt_mflags &
> ~MS_RDONLY, NULL) < 0) {
>
> ^^^^ Here it fails for sysfs because with user namespaces we bind the
> existing /sys into the container
> and would have to read out all existing mount flags from the current /sys mount.
> Otherwise mount() fails with EPERM.
> On my test system /sys is mounted with
> "rw,nosuid,nodev,noexec,relatime" and libvirt
> misses the realtime...
Not specifying any atime flags to mount should be safe as that asks for
the default atime flags which for remount I have made the default atime
flags the existing atime flags. So I am scratching my head a little on
this one.
>
> virReportSystemError(errno,
> _("Failed to mount %s on %s type %s flags=%x"),
> mnt_src, mnt->dst, NULLSTR(mnt->type),
> mnt_mflags & ~MS_RDONLY);
> goto cleanup;
> }
>
> if (bindOverReadonly &&
> mount(mnt_src, mnt->dst, NULL,
> MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
>
> ^^^ Here it fails because now we'd have to specify all flags as used
> for the first
> mount. For the procfs case MS_NOSUID|MS_NOEXEC|MS_NODEV.
> See lxcBasicMounts[].
> In this case the fix is easy, add mnt_mflags to the mount flags.
That has always been a bug in general because remount has always
required specifying the complete set of mount flags you want to have.
That fact that flags such as nosuid are now properly locked so you can
not change them if you are not the global root user just makes this
obvious.
Andy Lutermorski has observed that statvfs will return the mount flags
making reading them simple.
Eric
next prev parent reply other threads:[~2014-08-21 4:53 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-06 0:57 [GIT PULL] namespace updates for v3.17-rc1 Eric W. Biederman
2014-08-06 0:57 ` Eric W. Biederman
[not found] ` <87fvhav3ic.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-08-06 4:46 ` Stephen Rothwell
2014-08-06 4:46 ` Stephen Rothwell
2014-08-06 4:46 ` Stephen Rothwell
[not found] ` <20140806144643.45e5dab8-3FnU+UHB4dNDw9hX6IcOSA@public.gmane.org>
2014-08-06 5:16 ` Eric W. Biederman
2014-08-06 5:16 ` Eric W. Biederman
[not found] ` <87lhr2tcyx.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-08-06 6:06 ` Stephen Rothwell
2014-08-06 6:06 ` Stephen Rothwell
2014-08-06 6:06 ` Stephen Rothwell
[not found] ` <20140806160608.218b6944-3FnU+UHB4dNDw9hX6IcOSA@public.gmane.org>
2014-08-06 6:30 ` Eric W. Biederman
2014-08-06 6:30 ` Eric W. Biederman
2014-08-07 13:28 ` Theodore Ts'o
2014-08-07 13:28 ` Theodore Ts'o
2014-08-13 2:46 ` Andy Lutomirski
2014-08-13 2:46 ` Andy Lutomirski
[not found] ` <53EAD180.4010906-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2014-08-13 4:17 ` Eric W. Biederman
2014-08-13 4:17 ` Eric W. Biederman
[not found] ` <87sil1nhut.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-08-13 4:38 ` Andy Lutomirski
2014-08-13 4:38 ` Andy Lutomirski
2014-08-13 4:45 ` Kenton Varda
[not found] ` <CAOP=4widH1rMZ1O=hzAT+M_8exdzRPA8pJ+wH29AQ9L0ogu9nw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-08-13 10:24 ` Eric W. Biederman
2014-08-13 10:24 ` Eric W. Biederman
[not found] ` <87tx5ghekp.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-08-13 17:03 ` Andy Lutomirski
2014-08-13 17:03 ` Andy Lutomirski
2014-08-14 0:03 ` [PATCH] fs: Remove implicit nodev for new mounts in non-root userns Andy Lutomirski
2014-08-15 19:05 ` Serge Hallyn
2014-08-15 19:16 ` Andy Lutomirski
2014-08-15 19:16 ` Andy Lutomirski
[not found] ` <CALCETrVKq1Fxnsd9jKDi5_fcKfCJxBZ1w-zGXD3FR-pF-jLsmQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-08-15 19:37 ` Serge Hallyn
2014-08-15 19:37 ` Serge Hallyn
2014-08-15 19:56 ` Andy Lutomirski
2014-08-15 19:56 ` Andy Lutomirski
[not found] ` <CALCETrWB0qBiyfJbapFnjxoNyNvS+aHvgc_eob3fC1j=cv+v5w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-08-15 20:16 ` Serge Hallyn
2014-08-15 20:16 ` Serge Hallyn
2014-08-15 20:16 ` Serge Hallyn
[not found] ` <2686c32f00b14148379e8cfee9c028c794d4aa1a.1407974494.git.luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2014-08-15 19:05 ` Serge Hallyn
2014-08-15 20:16 ` Serge Hallyn
2014-08-28 1:35 ` Andy Lutomirski
2014-08-28 1:35 ` Andy Lutomirski
[not found] ` <CALCETrWT_p1-5nkiAjWoeta19fkO3rDiJe9_mhRVqF8x1zXv2A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-08-14 0:03 ` Andy Lutomirski
2014-08-15 18:41 ` [GIT PULL] namespace updates for v3.17-rc1 Andy Lutomirski
2014-08-15 18:41 ` Andy Lutomirski
2014-08-20 15:06 ` Richard Weinberger
2014-08-20 15:06 ` Richard Weinberger
[not found] ` <CAFLxGvwi-iJRyfwv8v9fcRkiSu2d-az8W55xMPbp_d8wQKmwjg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-08-21 4:53 ` Eric W. Biederman [this message]
2014-08-21 4:53 ` Eric W. Biederman
[not found] ` <87vbpm4f4y.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-08-21 6:29 ` Richard Weinberger
2014-08-21 13:12 ` Christoph Hellwig
2014-08-21 13:12 ` Christoph Hellwig
[not found] ` <20140821131257.GA4264-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2014-08-21 13:22 ` Richard Weinberger
2014-08-21 13:22 ` Richard Weinberger
[not found] ` <53F5F2AD.5010607-/L3Ra7n9ekc@public.gmane.org>
2014-08-21 14:09 ` Eric W. Biederman
2014-08-21 14:09 ` Eric W. Biederman
[not found] ` <87k362vsr5.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-03 21:18 ` Richard Weinberger
2014-09-03 21:18 ` Richard Weinberger
2014-11-25 23:15 ` Richard Weinberger
2014-11-25 23:15 ` Richard Weinberger
[not found] ` <CAFLxGvzyhHC+QF-bFfp-yNBpCkS3JJ+RAr+5iCj0k_su9wJbGw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-29 16:58 ` Richard Weinberger
2014-11-29 16:58 ` Richard Weinberger
2014-08-21 13:43 ` Eric W. Biederman
2014-08-21 13:43 ` Eric W. Biederman
2014-08-21 6:29 ` Richard Weinberger
[not found] ` <53F591E7.3010509-/L3Ra7n9ekc@public.gmane.org>
2014-08-21 7:24 ` Richard Weinberger
2014-08-21 7:24 ` Richard Weinberger
[not found] ` <53F59EC7.6060107-/L3Ra7n9ekc@public.gmane.org>
2014-08-21 13:54 ` Eric W. Biederman
2014-08-21 13:54 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vbpm4f4y.fsf@x220.int.ebiederm.org \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=libvir-list-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.