From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Linux FS Devel <linux-fsdevel@vger.kernel.org>,
lsf-pc@lists.linux-foundation.org,
Seth Forshee <seth.forshee@canonical.com>,
Lukasz Pawelczyk <l.pawelczyk@samsung.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Richard Weinberger <richard@nod.at>
Subject: Re: [Lsf-pc] [LSF/MM TOPIC] Filesystem namespaces and uid/gid/lsm remapping
Date: Mon, 23 Feb 2015 08:16:53 -0800 [thread overview]
Message-ID: <1424708213.2134.13.camel@HansenPartnership.com> (raw)
In-Reply-To: <CALCETrXpnxA9T_E-kiytwj0fBH-AahJ8TmHRO8uDHkY=sS-0Pw@mail.gmail.com>
On Mon, 2015-02-23 at 07:54 -0800, Andy Lutomirski wrote:
> On Sun, Feb 22, 2015 at 9:01 AM, James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> > On Tue, 2014-12-02 at 15:47 -0800, Andy Lutomirski wrote:
> >> This should hopefully be a short topic, and it's possible that it'll
> >> be settled by the time LSF/MM comes around, but:
> >>
> >> There's a fair amount of interest from different directions for
> >> allowing filesystems with a backing store to be mounted (in the
> >> mount-from-scratch sense, not the bind-mount sense) in a user
> >> namespace. For example, Seth has patches to allow unprivileged FUSE
> >> mounts. There are a few issues here, for example:
> >>
> >> - What happens to device nodes in those filesystems?
> >
> > You have to allow device nodes in mount namespaces. However, not all
> > devices should be present, only the ones the owner of the namespace is
> > allowed to either see (read only) or control (read/write).
>
> I agree that you need to allow device nodes, but I'm not sure that you
> need to allow device nodes on filesystems with backing store. Every
> recent distro should work with devtmpfs (admittedly, we don't know how
> devtmpfs should work in a container), but tmpfs is a decent
> alternative. In any event, sticking device nodes on ext4 is asking
> for trouble with dynamic minors and such.
OK, so this one is a bit off topic from your original proposal. Because
now we're moving on to device handling inside containers (which is also
a big can of worms).
We tend to want a strictly controlled /dev for a container, because the
host has to make decisions about hotplug devices and pass them on to
containers (or not) based on its policy. This makes devtmpfs (to us)
unfit for purpose because all that policy would have to be coded per
container inside the kernel to make it work. We also need to control
access more strictly because of the disallow write and mount problem.
Device nodes we pass through to the container tend to be done via bind
mount from the host, so most of the policy logic can be in the host
userspace.
In fact, mknod is intercepted from the container and so the host polices
policy from that end as well ... so it doesn't really matter *where* the
device is being created ... that's not to say it couldn't be a tmpfs,
just saying that the actual location isn't that important. What is
important is policing the node create action.
However, other container people need to chime in here. I tend to think
that hotplug handling inside the container is unnecessary (certainly in
a hosting/VPS environment), but I believe there are other potential
users of it who have different ideas.
> > The specific problem for container security is allowing the user who can
> > write to the device also to mount it ... because that lets them inject
> > data known to cause a kernel crash and bring down the entire system or
> > worse. The current solution is simply not to allow the owner both to
> > write and mount, but this is becoming increasingly untenable using
> > loopback images with containers for cascading overlays like docker does.
>
> I see this as a separate issue. If the kernel has no implementation
> bugs, this would be a nonissue :)
Right, I started another thread on this.
James
next prev parent reply other threads:[~2015-02-23 16:16 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-02 23:47 [LSF/MM TOPIC] Filesystem namespaces and uid/gid/lsm remapping Andy Lutomirski
2014-12-03 3:37 ` Eric W. Biederman
2015-02-22 17:12 ` [Lsf-pc] " James Bottomley
2015-02-23 12:38 ` Jan Kara
2014-12-03 14:48 ` Seth Forshee
2014-12-05 18:01 ` David Howells
2014-12-08 21:59 ` Eric W. Biederman
2014-12-09 18:51 ` [Lsf-pc] " Jeff Layton
2015-02-22 16:52 ` James Bottomley
2015-02-22 23:51 ` Jeff Layton
2015-02-22 17:01 ` James Bottomley
2015-02-23 15:54 ` Andy Lutomirski
2015-02-23 16:16 ` James Bottomley [this message]
2015-03-02 22:34 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1424708213.2134.13.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=ebiederm@xmission.com \
--cc=l.pawelczyk@samsung.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=lsf-pc@lists.linux-foundation.org \
--cc=luto@amacapital.net \
--cc=richard@nod.at \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).