From mboxrd@z Thu Jan 1 00:00:00 1970 From: Seth Forshee Subject: Re: [PATCH 1/5] fs: Verify access of user towards block device file when mounting Date: Mon, 5 Oct 2015 09:26:21 -0500 Message-ID: <20151005142621.GB21639@ubuntu-hedt> References: <1443644116-41366-1-git-send-email-seth.forshee@canonical.com> <1443644116-41366-2-git-send-email-seth.forshee@canonical.com> <20150930234215.GA24127@redhat.com> <20151001125508.GA101875@ubuntu-hedt> <20151001134052.GB27818@redhat.com> <87wpv6a8hl.fsf@x220.int.ebiederm.org> <20151001230700.GA10087@quack.suse.cz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "Eric W. Biederman" , Mike Snitzer , Kent Overstreet , Alasdair Kergon , dm-devel@redhat.com, Neil Brown , David Woodhouse , Brian Norris , Alexander Viro , Jan Kara , Jeff Layton , "J. Bruce Fields" , Serge Hallyn , Andy Lutomirski , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org, linux-bcache@vger.kernel.org, linux-raid@vger.kernel.org To: Jan Kara Return-path: Content-Disposition: inline In-Reply-To: <20151001230700.GA10087@quack.suse.cz> Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Fri, Oct 02, 2015 at 01:07:00AM +0200, Jan Kara wrote: > On Thu 01-10-15 10:55:50, Eric W. Biederman wrote: > > The goal if possible is to run things like docker without needed to be > > root or even more fun to run docker in a container, and in general > > enable nested containers. > > Frankly at the filesystem side we are rather far from being able to safely > mount untrusted device and I don't think we'll ever be robust enough to > tolerate e.g. user changing the disk while fs is using it. So would this be > FUSE-only thing or is someone still hoping that general purpose filesystems > will be robust enough in future? FUSE will almost certainly be first. I've also been working with ext4, and I would like to see that eventually supported to some degree. Seth