From mboxrd@z Thu Jan 1 00:00:00 1970 From: Serge Hallyn Subject: Re: [PATCH] fs: Remove implicit nodev for new mounts in non-root userns Date: Fri, 15 Aug 2014 20:16:29 +0000 Message-ID: <20140815201629.GF11476@ubuntumail> References: <2686c32f00b14148379e8cfee9c028c794d4aa1a.1407974494.git.luto@amacapital.net> <20140815190552.GA11476@ubuntumail> <20140815193746.GE11476@ubuntumail> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: Linux Containers , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , stable , Kenton Varda , "Eric W. Biederman" , Linux FS Devel , Linus Torvalds To: Andy Lutomirski Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org List-Id: linux-fsdevel.vger.kernel.org Quoting Andy Lutomirski (luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org): > On Fri, Aug 15, 2014 at 12:37 PM, Serge Hallyn wrote: > > Quoting Andy Lutomirski (luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org): > >> On Fri, Aug 15, 2014 at 12:05 PM, Serge Hallyn wrote: > >> > Quoting Andy Lutomirski (luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org): > >> >> Currently, creating a new mount (as opposed to bindmount) in a > >> >> non-root userns will implicitly set nodev unless the fs is devpts. > >> >> Something like this will be necessary for file systems that allow > >> >> the mounter to create device nodes without using mknod (e.g. FUSE > >> >> if/when that is allowed), but none of the currently allowed > >> >> filesystems do this. > >> > > >> > Hi, > >> > > >> > Sorry, I'm probably thinking stupidly, but I don't see this restriction > >> > being the case > >> > > >> > serge@sl:~$ mount | grep tmp > >> > [...] > >> > tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) > >> > serge@sl:~$ sudo mknod /run/kvm c 10 232 > >> > [sudo] password for serge: > >> > serge@sl:~$ echo $? > >> > 0 > >> > serge@sl:~$ ls -l /run/kvm > >> > crw-r--r-- 1 root root 10, 232 Aug 15 14:04 /run/kvm > >> > > >> > But you seem to be saying I shouldn't be allowed to create a device inside > >> > a tmpfs. What am I overlooking? > >> > >> I assume you're in the root userns. This patch is unnecessary, and > >> has no effect, if you're in the root userns. > > > > Right, but I thought you were justifying adding FS_USERNS_DEV_MOUNT by saying > > that you cannot mknod in those filesystems. But I see you actually said > > "without using mknod". I guess I don't understand that caveat. > > IIUC, there are two ways that a user could put a device node into > their filesystem. > > The obvious way is using mknod. But mknod has its own perfectly valid > permission checks, and it doesn't need any special handling at mount > time. > > The less obvious way is to mount a filesystem that already contains a > device node or to mount a filesystem that gives some other means of > inserting a device node (e.g. a network filesystem or FUSE). Those > might allow inserting device nodes without passing a global capability > check, so unprivileged users in a userns must not be allowed to mount > such a filesystem without MNT_NODEV | MNT_LOCK_NODEV. > > Fortunately, none of the existing FS_USERNS_MOUNT filesystems have > that property. FUSE will, but we don't support FUSE in a userns yet > (unfortunately -- it would be a *very* useful feature.) > > I think that, if we ever allow FUSE in a userns, we should return Which, btw, I'm hoping we'll be allowing soon. > -EPERM when trying to mount it unless the user specifies MS_NODEV, In either case we can think that through when the time comes. > which is what this patch does. I don't think there's any reason to > play complicated games to allow programs to get away with omitting > MS_NODEV. Thanks, Andy.