From: ebiederm@xmission.com (Eric W. Biederman)
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
lkml <linux-kernel@vger.kernel.org>,
Andy Whitcroft <apw@canonical.com>,
Andrew Morton <akpm@linux-foundation.org>,
Dave Hansen <haveblue@us.ibm.com>,
linux-security-module@vger.kernel.org,
Linux Containers <containers@lists.osdl.org>,
St?phane Graber <stgraber@ubuntu.com>,
Daniel Lezcano <daniel.lezcano@free.fr>
Subject: Re: prevent containers from turning host filesystem readonly
Date: Sat, 11 Feb 2012 20:27:54 -0800 [thread overview]
Message-ID: <m1sjig1xrp.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20120211202803.GA19961@hallyn.com> (Serge E. Hallyn's message of "Sat, 11 Feb 2012 20:28:03 +0000")
"Serge E. Hallyn" <serge@hallyn.com> writes:
>> Serge let me respectfully suggest that getting the user namespace done
>> will deal with this issue nicely.
>>
>> In the simple case you simply won't be root so remount will just be
>> denied.
>>
>> When/if we allow a limited form of unprivileged mounts in a user
>> namespace your user won't have mounted the filesystem so you should not
>> have the privilege to call remount on the filesystem.
>
> Hm, that's a good point. Though note it'll require the userns code to
> distinguish between the a bind remount and superblock remount. The
> last time we seriously discussed this, that wasn't even on the roadmap.
> It was only going to support fully assigning the whole filesystem to
> a user namespace. In that case, the remount issue doesn't apply anyway
> as the fs isn't shared with another container.
Come to think of it unmounting and remounting is a bit tricky, and
it is a bit parallel to having a disk base filesystem being in one
user namespace. Currently my patches have the rule that everything
maps to the initial user namespace, so using a filesystem from multiple
user namespaces is not a problem.
Unmounting is pretty safe if the rule is that you control the entire
mount namespace.
Remounting though that does become tricky in the unprivileged situation.
I honestly haven't thought through what that permission check should
look like yet.
Eric
prev parent reply other threads:[~2012-02-12 4:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-11 3:19 prevent containers from turning host filesystem readonly Serge Hallyn
2012-02-11 3:37 ` Al Viro
2012-02-11 3:57 ` Serge Hallyn
2012-02-11 4:07 ` Serge Hallyn
2012-02-11 19:07 ` Eric W. Biederman
2012-02-11 20:28 ` Serge E. Hallyn
2012-02-12 4:27 ` Eric W. Biederman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1sjig1xrp.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=apw@canonical.com \
--cc=containers@lists.osdl.org \
--cc=daniel.lezcano@free.fr \
--cc=haveblue@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge.hallyn@canonical.com \
--cc=serge@hallyn.com \
--cc=stgraber@ubuntu.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.