From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: "Daniel P. Berrange" <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Subject: Re: Regression wrt mounting /proc in user namespace in 3.13
Date: Sat, 16 Nov 2013 16:48:40 +0000 [thread overview]
Message-ID: <20131116164840.GA4441@mail.hallyn.com> (raw)
In-Reply-To: <20131115164123.GN28794-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Quoting Daniel P. Berrange (berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
> Just testing libvirt with user namespaces on current Fedora rawhide
> 3.13.0-0.rc0.git3.2.fc21.x86_64 kernel, I'm now getting an error when
> we attempt to mount /proc
Thanks, I saw the same thing with 3.12 on friday afternoon, and decided
I must be too haggard from a week of unrelated work to think straight.
This definately will be a problem, making user namespace unusable for
containers.
> # virsh -c lxc:/// start shell
> error: Failed to start domain shell
> error: internal error: guest failed to start: Failed to mount proc on /proc type proc flags=e: Operation not permitted
>
> The syscall failing is
>
> mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EPERM (Operation not permitted)
>
>
> On the host OS the default Fedora environment has the following mounts
> present
>
> # grep /proc /proc/mounts
> proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
> systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=41,pgrp=1,timeout=300,minproto=5,maxproto=5,direct 0 0
> binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0
> sunrpc /proc/fs/nfsd nfsd rw,relatime 0 0
>
> # ls /proc/fs/nfsd/
> export_features filehandle nfsv4gracetime nfsv4recoverydir pool_threads reply_cache_stats threads unlock_ip
> exports max_block_size nfsv4leasetime pool_stats portlist supported_krb5_enctypes unlock_filesystem versions
>
> # ls /proc/sys/fs/binfmt_misc/
> qemu-alpha qemu-cris qemu-microblazeel qemu-mips64el qemu-ppc64 qemu-sh4 qemu-sparc32plus status
> qemu-arm qemu-m68k qemu-mips qemu-mipsel qemu-ppc64abi32 qemu-sh4eb qemu-sparc64
> qemu-armeb qemu-microblaze qemu-mips64 qemu-ppc qemu-s390x qemu-sparc register
>
>
> Only if I umount both of the /proc/sys/fs/binfmt_misc/ entries
> am I able to get past this EPERM error code.
>
> Looking at GIT history I see this change as a likely candidate for
> something which has changed in this area:
>
> commit e51db73532955dc5eaba4235e62b74b460709d5b
> Author: Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
> Date: Sat Mar 30 19:57:41 2013 -0700
>
> userns: Better restrictions on when proc and sysfs can be mounted
>
> Rely on the fact that another flavor of the filesystem is already
> mounted and do not rely on state in the user namespace.
>
> Verify that the mounted filesystem is not covered in any significant
> way. I would love to verify that the previously mounted filesystem
> has no mounts on top but there are at least the directories
> /proc/sys/fs/binfmt_misc and /sys/fs/cgroup/ that exist explicitly
> for other filesystems to mount on top of.
>
> Refactor the test into a function named fs_fully_visible and call that
> function from the mount routines of proc and sysfs. This makes this
> test local to the filesystems involved and the results current of when
> the mounts take place, removing a weird threading of the user
> namespace, the mount namespace and the filesystems themselves.
>
> Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
>
>
> My guess is fs_fully_visible() is returning false, and thus causing the
> proc_mount() call to return EPERM, but I'm unclear why this would happen,
> or if this is indeed a correct hypothesis.
>
>
> Regards,
> Daniel
> --
> |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org -o- http://virt-manager.org :|
> |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
> _______________________________________________
> Containers mailing list
> Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers
next prev parent reply other threads:[~2013-11-16 16:48 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-15 16:41 Regression wrt mounting /proc in user namespace in 3.13 Daniel P. Berrange
[not found] ` <20131115164123.GN28794-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-11-16 16:48 ` Serge E. Hallyn [this message]
[not found] ` <20131116164840.GA4441-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-17 3:06 ` Serge E. Hallyn
[not found] ` <20131117030653.GA7670-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-18 3:19 ` Serge E. Hallyn
[not found] ` <20131118031932.GA17621-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-18 4:52 ` Gao feng
[not found] ` <52899D09.5080202-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-11-18 14:08 ` Serge E. Hallyn
[not found] ` <20131118140830.GA22075-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-18 18:01 ` Serge E. Hallyn
[not found] ` <20131118180134.GA24156-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-19 1:51 ` Eric W. Biederman
[not found] ` <87k3g5gnuv.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-11-19 3:47 ` Serge E. Hallyn
2013-11-26 18:10 ` Serge E. Hallyn
[not found] ` <20131126181043.GA25492-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-27 0:14 ` [REVIEW][PATCH 0/3] userns fixes for v3.13-rc1 Eric W. Biederman
[not found] ` <87siui1z1g.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-11-27 0:16 ` [REVIEW][PATCH 1/3] vfs: In d_path don't call d_dname on a mount point Eric W. Biederman
[not found] ` <8738mi1yya.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-11-27 1:58 ` Serge E. Hallyn
2013-11-30 6:15 ` Al Viro
[not found] ` <20131130061525.GY10323-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2013-11-30 17:02 ` Al Viro
[not found] ` <20131130170226.GZ10323-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2013-11-30 21:51 ` Eric W. Biederman
[not found] ` <87a9glh838.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-11-30 22:43 ` Al Viro
[not found] ` <20131130224340.GA10323-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2013-12-02 7:29 ` Al Viro
2014-01-17 3:29 ` Eric W. Biederman
[not found] ` <874n53gub7.fsf@xmission.com>
[not found] ` <874n53gub7.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2014-01-17 8:39 ` Al Viro
[not found] ` <20140117083901.GA10323-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2014-02-07 2:21 ` [PATCH 0/4] d_dname cleanups Eric W. Biederman
[not found] ` <87iosrhdc0.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2014-02-07 2:23 ` [PATCH 1/4] perfmon: Use d_alloc_pseudo like all of the d_dname callers Eric W. Biederman
2014-02-07 2:23 ` [PATCH 2/4] vfs: Simply when d_alloc_dname is called Eric W. Biederman
2014-02-07 2:24 ` [PATCH 3/4] vfs: Move the call of d_op->d_dname from d_path to prepend_path Eric W. Biederman
2014-02-07 2:24 ` [PATCH 4/4] vfs: Call d_dname from dentry_path Eric W. Biederman
2013-12-01 5:09 ` [REVIEW][PATCH 1/3] vfs: In d_path don't call d_dname on a mount point Al Viro
[not found] ` <20131201050930.GB10323-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2013-12-01 6:15 ` [REVIEW][PATCH 1/3] vfs: In d_path don't call d_dname on a mountpoint Tetsuo Handa
2013-12-02 5:43 ` [REVIEW][PATCH 1/3] vfs: In d_path don't call d_dname on a mount point NeilBrown
[not found] ` <20131202164359.4f4f2c94-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
2013-12-02 16:23 ` J.Bruce Fields
2013-11-27 0:16 ` [REVIEW][PATCH 2/3] fork: Allow CLONE_PARENT after setns(CLONE_NEWPID) Eric W. Biederman
[not found] ` <87vbzezojq.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-11-27 1:58 ` Serge E. Hallyn
2013-11-27 0:17 ` [REVIEW][PATCH 3/3] vfs: Fix a regression in mounting proc Eric W. Biederman
[not found] ` <87pppmzoin.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-11-27 0:21 ` Andy Lutomirski
[not found] ` <CALCETrVp78EfzY3Oa-LV1Hm8A4Y35apehcxrxdyrzvTb5sp=pA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-27 0:36 ` Eric W. Biederman
2013-11-27 2:00 ` Serge E. Hallyn
2013-11-27 3:19 ` Gao feng
[not found] ` <529564AA.8050100-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2013-11-27 5:00 ` Eric W. Biederman
2013-11-27 16:13 ` Oleg Nesterov
[not found] ` <20131127161300.GA24773@redhat.com>
[not found] ` <20131127161300.GA24773-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-11-27 16:29 ` Serge E. Hallyn
[not found] ` <20131127162928.GB7358-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-11-27 18:09 ` Oleg Nesterov
2013-11-27 16:41 ` Andy Lutomirski
[not found] ` <CALCETrXFnw63=JoEaQxM+Opj+kCXSL=9XppymzGKhLzOnp3WaQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-27 18:10 ` Oleg Nesterov
2013-11-27 18:51 ` Eric W. Biederman
[not found] ` <871u21oeyr.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-11-27 19:47 ` Oleg Nesterov
[not found] ` <20131127194722.GA32673@redhat.com>
[not found] ` <20131127194722.GA32673-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-11-27 19:52 ` Eric W. Biederman
[not found] ` <87iovdmxl7.fsf@xmission.com>
[not found] ` <87iovdmxl7.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-11-27 20:01 ` Oleg Nesterov
2013-11-27 20:07 ` Eric W. Biederman
[not found] ` <87wqjtlic3.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-11-27 20:41 ` Andy Lutomirski
2013-11-29 19:53 ` Oleg Nesterov
[not found] ` <20131129195327.GA12974-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2013-12-13 22:07 ` Richard Weinberger
[not found] ` <CALCETrUwjK7iLMMJaCvKUbBwEqV58oXY4dWzTGJohYgg4DwjWQ@mail.gmail.com>
[not found] ` <CALCETrUwjK7iLMMJaCvKUbBwEqV58oXY4dWzTGJohYgg4DwjWQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-11-29 14:56 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131116164840.GA4441@mail.hallyn.com \
--to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
--cc=berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox