From: Glauber Costa <glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
To: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Subject: [PATCH 0/4] fix depvpts in user namespaces
Date: Fri, 15 Mar 2013 13:13:39 +0400 [thread overview]
Message-ID: <1363338823-25292-1-git-send-email-glommer@parallels.com> (raw)
Hi,
devpts mounts in user namespaces is queued for 3.9. However, while playing
with it I found it to be less than ideal. Although it could possibly work
with custom software that can be made to point to /dev/pts/ptmx, a few things
prevent it from working correctly for people that, like us, are booting full
distributions.
In those scenarios, things like udev will kick in, maybe remount /dev undoing
any setup we might have done, and then software like sshd or anything else
calling openpty will search for /dev/ptmx, not /dev/pts/ptmx.
One of the problems that I am addressing in here is that we are disallowing
mknod in usernamespaces. Although I understand the motivation for that, I
believe that to be too restrictive, specially because we already control access
to the files separately. There should be no harm in mknod'ing something per se,
if manipulating it is forbidden.
That too, however, is too restrictive. Following the precedence that we set by
letting memcg manage the memory for tmpfs mounts, I am doing the same here with
the device cgroup. With the exception that instead of suggesting, here we have
a way to actually enforce it. Unless the mount was specifically marked as
nodev, reads and writes will be allowed to proceed if a device cgroup is
containing the process. The device cgroup will then be the one responsible for
setting fine grained access about which devices can and cannot be manipulated.
Last, /dev/ptmx will still always be the global ptmx device. We need to somehow
link it to our namespaces'. My proposal is to multiplex it and return the
correct "root ptmx" depending on which userns is reading that device.
Glauber Costa (4):
dev_cgroup: keep track of which cgroup is the root cgroup
fs: allow dev accesses in userns in controlled situations
fs: allow mknod in user namespaces
devpts: fix usage in user namespaces
fs/devpts/inode.c | 157 +++++++++++++++++++++++++++++++++++++++++++++--
fs/namei.c | 6 +-
fs/namespace.c | 2 +-
include/linux/mount.h | 2 +
include/linux/security.h | 1 +
security/device_cgroup.c | 15 ++++-
6 files changed, 173 insertions(+), 10 deletions(-)
--
1.8.1.2
next reply other threads:[~2013-03-15 9:13 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-15 9:13 Glauber Costa [this message]
[not found] ` <1363338823-25292-1-git-send-email-glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 9:13 ` [PATCH 1/4] dev_cgroup: keep track of which cgroup is the root cgroup Glauber Costa
[not found] ` <1363338823-25292-2-git-send-email-glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 14:07 ` Serge Hallyn
2013-03-15 14:43 ` Glauber Costa
2013-03-15 14:55 ` Serge Hallyn
2013-03-15 19:27 ` Aristeu Rozanski
2013-03-15 9:13 ` [PATCH 2/4] fs: allow dev accesses in userns in controlled situations Glauber Costa
2013-03-15 14:20 ` Serge Hallyn
2013-03-15 9:13 ` [PATCH 3/4] fs: allow mknod in user namespaces Glauber Costa
[not found] ` <1363338823-25292-4-git-send-email-glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 14:37 ` Serge Hallyn
2013-03-15 14:49 ` Glauber Costa
[not found] ` <51433511.1020808-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 15:14 ` Serge Hallyn
2013-03-15 18:03 ` Vasily Kulikov
2013-03-15 20:43 ` Eric W. Biederman
2013-03-16 0:23 ` Serge Hallyn
2013-03-15 9:13 ` [PATCH 4/4] devpts: fix usage " Glauber Costa
[not found] ` <1363338823-25292-5-git-send-email-glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 14:45 ` Serge Hallyn
2013-03-15 10:26 ` [PATCH 0/4] fix depvpts " Eric W. Biederman
[not found] ` <87boalt0vi.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-15 12:01 ` Glauber Costa
2013-03-15 14:00 ` Serge Hallyn
2013-03-15 14:42 ` Glauber Costa
[not found] ` <5143333E.1040100-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 15:21 ` Serge Hallyn
2013-03-15 15:26 ` Glauber Costa
[not found] ` <51433DBE.9020109-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2013-03-15 15:58 ` Serge Hallyn
2013-03-15 16:01 ` Glauber Costa
2013-03-15 21:02 ` Eric W. Biederman
2013-03-18 3:20 ` Serge Hallyn
2013-03-18 21:23 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1363338823-25292-1-git-send-email-glommer@parallels.com \
--to=glommer-bzqdu9zft3wakbo8gow8eq@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox