From mboxrd@z Thu Jan 1 00:00:00 1970 From: Serge Hallyn Subject: Re: ioctl CAP_LINUX_IMMUTABLE is checked in the wrong namespace Date: Wed, 30 Apr 2014 00:40:00 +0000 Message-ID: <20140430004000.GC28969@ubuntumail> References: <535FADDA.2070803@1h.com> <20140429183534.GB19325@thunk.org> <20140429185251.GA27969@ubuntumail> <53601E5B.5050004@1h.com> <20140429220234.GC28410@ubuntumail> <536026B3.1020905@1h.com> <20140429222913.GD28410@ubuntumail> <53602B84.1020304@mit.edu> <20140430001641.GA28969@ubuntumail> <20140430003236.GA6472@thunk.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20140430003236.GA6472-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Theodore Ts'o , Andy Lutomirski , Marian Marinov , containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, Linux Kernel Mailing List , lxc-devel List-Id: containers.vger.kernel.org Quoting Theodore Ts'o (tytso-3s7WtUTddSA@public.gmane.org): > On Wed, Apr 30, 2014 at 12:16:41AM +0000, Serge Hallyn wrote: > > I forget the details, but there was another case where I wanted to > > have the userns which 'owns' the whole fs available. I guess we'd > > have to check against that instead of using inode_capable. > > Yes, that sounds right. > > And *please* tell me that that under no circumstances can anyone other > than root@init_user_ns is allowed to use mknod.... That's the case. We've considered making exceptions for things like /dev/null, but in practice bind-mounting devices from the host has worked out just fine.