From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vasily Kulikov Subject: Re: [PATCH 3/4] fs: allow mknod in user namespaces Date: Fri, 15 Mar 2013 22:03:08 +0400 Message-ID: <20130315180308.GA5526@cachalot> References: <1363338823-25292-1-git-send-email-glommer@parallels.com> <1363338823-25292-4-git-send-email-glommer@parallels.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: cgroups@vger.kernel.org, containers@lists.linux-foundation.org, Aristeu Rozanski , mtk.manpages@gmail.com, linux-fsdevel@vger.kernel.org, Andrew Morton , "Eric W. Biederman" To: Glauber Costa Return-path: Received: from mail-la0-f43.google.com ([209.85.215.43]:33718 "EHLO mail-la0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751419Ab3COSDO (ORCPT ); Fri, 15 Mar 2013 14:03:14 -0400 Content-Disposition: inline In-Reply-To: <1363338823-25292-4-git-send-email-glommer@parallels.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Fri, Mar 15, 2013 at 13:13 +0400, Glauber Costa wrote: > Since we have strict control on who access the devices, it should be > no problem to allow the device to appear. ... > - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD)) > + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !nsown_capable(CAP_MKNOD)) As now we have several mechanisms for dev nodes usage in containers (cgroup, per-fs flags, CAP_MKNOD), probably it's better to document all this stuff in a single document? Enumerate all possible limits of device files creation and usage, and describe unobvious ways to abuse the API to escape from a container (allow loopback device? allow ext4? just guessing, didn't investigate myself). It should document several safe patterns for common cases and beware of known-to-be-vulnerable ones. Thanks, -- Vasily Kulikov http://www.openwall.com - bringing security into open computing environments