From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B643FC11D0C for ; Thu, 20 Feb 2020 14:26:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 97859207FD for ; Thu, 20 Feb 2020 14:26:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727553AbgBTO01 (ORCPT ); Thu, 20 Feb 2020 09:26:27 -0500 Received: from mail.hallyn.com ([178.63.66.53]:59536 "EHLO mail.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727088AbgBTO01 (ORCPT ); Thu, 20 Feb 2020 09:26:27 -0500 Received: by mail.hallyn.com (Postfix, from userid 1001) id B0D613F5; Thu, 20 Feb 2020 08:26:24 -0600 (CST) Date: Thu, 20 Feb 2020 08:26:24 -0600 From: "Serge E. Hallyn" To: Andy Lutomirski Cc: Christian Brauner , "Serge E. Hallyn" , =?iso-8859-1?Q?St=E9phane?= Graber , "Eric W. Biederman" , Aleksa Sarai , Jann Horn , smbarber@chromium.org, Seth Forshee , Alexander Viro , Alexey Dobriyan , James Morris , Kees Cook , Jonathan Corbet , Phil Estes , LKML , Linux FS Devel , Linux Containers , LSM List , Linux API Subject: Re: [PATCH v3 09/25] fs: add is_userns_visible() helper Message-ID: <20200220142624.GA5249@mail.hallyn.com> References: <20200218143411.2389182-1-christian.brauner@ubuntu.com> <20200218143411.2389182-10-christian.brauner@ubuntu.com> <20200219024233.GA19334@mail.hallyn.com> <20200219120604.vqudwaeppebvisco@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-api-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-api@vger.kernel.org On Wed, Feb 19, 2020 at 09:18:51AM -0800, Andy Lutomirski wrote: > On Wed, Feb 19, 2020 at 4:06 AM Christian Brauner > wrote: > > > > On Tue, Feb 18, 2020 at 08:42:33PM -0600, Serge Hallyn wrote: > > > On Tue, Feb 18, 2020 at 03:33:55PM +0100, Christian Brauner wrote: > > > > Introduce a helper which makes it possible to detect fileystems whose > > > > superblock is visible in multiple user namespace. This currently only > > > > means proc and sys. Such filesystems usually have special semantics so their > > > > behavior will not be changed with the introduction of fsid mappings. > > > > > > Hi, > > > > > > I'm afraid I've got a bit of a hangup about the terminology here. I > > > *think* what you mean is that SB_I_USERNS_VISIBLE is an fs whose uids are > > > always translated per the id mappings, not fsid mappings. But when I see > > > > Correct! > > > > > the name it seems to imply that !SB_I_USERNS_VISIBLE filesystems can't > > > be seen by other namespaces at all. > > > > > > Am I right in my first interpretation? If so, can we talk about the > > > naming? > > > > Yep, your first interpretation is right. What about: wants_idmaps() > > Maybe fsidmap_exempt()? Yeah, and maybe SB_USERNS_FSID_EXEMPT ? > I still haven't convinced myself that any of the above is actually > correct behavior, especially when people do things like creating > setuid binaries. The only place that would be a problem is if the child userns has an fsidmapping from X to 0 in the parent userns, right? Yeah I'm sure many people would ignore all advice to the contrary and do this anyway, but I would try hard to suggest that people use an intermediary userns for storing filesystems for the "docker share" case. So the host fsid range would start at say 200000. So a setuid binary would just be setuid-200000.