Re: [RFC][PATCH] rbind across namespaces

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mike Waychison <mike@waychison.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: jamie@shareable.org, linuxram@us.ibm.com,
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	akpm@osdl.org, viro@parcelfarce.linux.theplanet.co.uk
Subject: Re: [RFC][PATCH] rbind across namespaces
Date: Tue, 24 May 2005 03:13:26 -0400	[thread overview]
Message-ID: <4292D416.5070001@waychison.com> (raw)
In-Reply-To: <E1DaSCb-0003Tw-00@dorka.pomaz.szeredi.hu>

Miklos Szeredi wrote:
>>FWIW, all this stuff has already been done and posted here.
>>
>>Detachable chunks of vfsmounts:
>>http://marc.theaimsgroup.com/?l=linux-fsdevel&m=109872862003192&w=2
>>
>>'Soft' reference counts for manipulating vfsmounts without pinning them 
>>down:
>>http://marc.theaimsgroup.com/?l=linux-kernel&m=109872797030644&w=2
> 
> 
> I think this might just interest Jamie Lokier.  He had a very similar
> poposal recently, but without reference to this patch, so I guess he
> wasn't aware of it.
> 

Interesting.  I haven't been following LKML/fsdevel lately due to lack
of time.

> 
>>Referencing vfsmounts in userspace using a file descriptor:
>>http://marc.theaimsgroup.com/?l=linux-kernel&m=109871948812782&w=2
> 
> 
> Why not just use /proc/PID/fd/FD?

In what sense?  readlink of /proc/PID/fd/* will provide a pathname
relative to current's root: useless for any paths not in current's
namespace.

Also, if we were to hijack /proc/PID/fd/* for cross namespace
manipulation, then we'd be enabling any root user on the system to
modify anyone's namespace.  Any security *cough* provided by namespaces
is lost.  A more secure way is to have root in namespace A allow root in
namespace B do the mounts.  If you further restrict how this hand-off
happens, such as the walking constraints in the patch mentioned below,
we can restrict modification of a namespace to a given sub-tree of
vfsmounts.

This interface also has the huge advantage that you gain all the goodies
of using file descriptors, such as SCM_RIGHTS.  You can hand of entire
trees of mountpoints between applications without ever even binding them
to any namespace whatsoever.

Tie this in with some userspace code that can mount devices for users
with restrictions and appropriate policy, you can create some API+daemon
for regular user apps to get things mounted in a way that guarantees
hiding from other users.

> 
> 
>>walking mountpoints in userspace: 
>>http://marc.theaimsgroup.com/?l=linux-kernel&m=109875012510262&w=2
> 
> 
> Is this needed?  Userspace can find out mountpoints from /proc/mounts
> (or something similar for detached trees).
> 

With detached mountpoints (and especially with detached mountpoint
_trees_) it can become very difficult to assess which trees are which.

Also, just like /proc/PID/fd/*, /proc/mounts is built according to
_current_'s root.  This only gives a skewed view of what is going on.

> 
>>attaching mountpoints in userspace:
>>http://marc.theaimsgroup.com/?l=linux-fsdevel&m=109875063100111&w=2
> 
> 
> Again, bind from/to /proc/PID/fd/FD should work without any new
> interfaces.

No..  It wouldn't.  Pathname resolution is doing everything according to
the ->readlink information provided by this magic proc files, again in
current's namespace.  If you care to hijack ->follow_link, prepare
yourself for a slew of corner cases.

> 
> 
>>detaching mountpoints in userspace:
>>http://marc.theaimsgroup.com/?l=linux-kernel&m=109880051800963&w=2
> 
> 
> What's wrong with sys_umount()?

sys_umount only works with paths in current's namespace. It doesn't
allow you to handle vfsmounts as primaries in userspace.

> 
> 
>>getting info from a vfsmount:
>>http://marc.theaimsgroup.com/?l=linux-kernel&m=109875135030473&w=2
> 
> 
> /proc or /sys should do fine for this purpose I think.
> 

Sure, if you can look it up somehow.  Even if you could currently walk
around in another namespace using fchdir+chdir, you couldn't pull out
kernel-knowledge of mountpoints, you have to fall back to /etc/mtab,
which is completely broken when you mix in namespaces anyway..

> I agree, that having "floating trees" could be useful, but I don't see
> the point of adding new interfaces to support it.
> 

I'm not hugely tied to the idea at the moment.  I implemented it as part
of this interface cause it was a simple extension to what was being done.

> Miklos
> -
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

next prev parent reply	other threads:[~2005-05-24  7:15 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-05-20 22:11 [RFC][PATCH] rbind across namespaces Ram
2005-05-21  6:27 ` Miklos Szeredi
2005-05-21  7:26   ` Ram
2005-05-21  8:09     ` Miklos Szeredi
2005-05-21  8:45       ` Ram
2005-05-21  9:09         ` Miklos Szeredi
2005-05-21 10:07           ` Ram
2005-05-21 13:12             ` Miklos Szeredi
2005-05-22 20:25               ` Ram
2005-05-22 20:51                 ` Ram
2005-05-23  5:08                   ` Miklos Szeredi
2005-05-23  7:24                     ` Ram
2005-05-23  8:24                       ` Miklos Szeredi
2005-05-21  9:48         ` Miklos Szeredi
2005-05-21 13:46       ` Jamie Lokier
2005-05-22  8:08         ` Miklos Szeredi
2005-05-22 17:04           ` [RFC][PATCH] /proc/dead_mounts support (Was: [RFC][PATCH] rbind across ...) Miklos Szeredi
2005-05-22 21:10           ` [RFC][PATCH] rbind across namespaces Ram
2005-05-23  5:07             ` Miklos Szeredi
2005-05-24  0:39           ` Mike Waychison
2005-05-24  5:43             ` Miklos Szeredi
2005-05-24  7:13               ` Mike Waychison [this message]
2005-05-24  8:25                 ` Miklos Szeredi
2005-05-24 17:09                   ` Mike Waychison
2005-05-24 17:31                     ` Miklos Szeredi
2005-05-24 17:44                       ` Mike Waychison
2005-05-24 17:56                         ` Miklos Szeredi
2005-05-24 18:04                           ` Mike Waychison
2005-05-30 19:06                             ` Ram
2005-05-24  9:18                 ` Miklos Szeredi
2005-05-24 17:15                   ` Mike Waychison
2005-05-24 17:46                     ` Miklos Szeredi
2005-05-24 18:15                     ` Jamie Lokier
2005-05-24 18:33                       ` Mike Waychison
2005-05-24 21:51                         ` Jamie Lokier
2005-05-21 13:43     ` Jamie Lokier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4292D416.5070001@waychison.com \
    --to=mike@waychison.com \
    --cc=akpm@osdl.org \
    --cc=jamie@shareable.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linuxram@us.ibm.com \
    --cc=miklos@szeredi.hu \
    --cc=viro@parcelfarce.linux.theplanet.co.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).