From: Mike Waychison <mikew@google.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: jamie@shareable.org, linuxram@us.ibm.com,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
akpm@osdl.org, viro@parcelfarce.linux.theplanet.co.uk
Subject: Re: [RFC][PATCH] rbind across namespaces
Date: Tue, 24 May 2005 10:09:31 -0700 [thread overview]
Message-ID: <42935FCB.1010809@google.com> (raw)
In-Reply-To: <E1DaUj1-0003eq-00@dorka.pomaz.szeredi.hu>
Miklos Szeredi wrote:
>>>>Referencing vfsmounts in userspace using a file descriptor:
>>>>http://marc.theaimsgroup.com/?l=linux-kernel&m=109871948812782&w=2
>>>
>>>
>>>Why not just use /proc/PID/fd/FD?
>>
>>In what sense? readlink of /proc/PID/fd/* will provide a pathname
>>relative to current's root: useless for any paths not in current's
>>namespace.
>
>
> Not readlink, but actual dereference of link will give you exactly the
> vfsmount/dentry the file was opened on. If you want to bind/move
> whatever on that mount, that's possible, even if it's a "detached
> tree".
Removing proc_check_root essentially removes any protection that
namespaces provided in the first place.
Think of it like virtual memory. You can fork off and create your own
COW instance, and no one can see what you are doing unless they ptrace
you or explicitly ask you. The mountfd model allows for explicit
handing off of vfsmounts between namespaces without allowing arbitrary
access.
>
>
>>Also, if we were to hijack /proc/PID/fd/* for cross namespace
>>manipulation, then we'd be enabling any root user on the system to
>>modify anyone's namespace.
>
>
> No. Obviously there must be limitations on which process can access
> /proc/PID/fd. It's obviously safe to allow 'self' for example. But
> any process you can ptrace should also be safe.
>
Yet even this doesn't allow userspace to define it's own policy for
inter-namespace manipulation.
>
>>This interface also has the huge advantage that you gain all the goodies
>>of using file descriptors, such as SCM_RIGHTS. You can hand of entire
>>trees of mountpoints between applications without ever even binding them
>>to any namespace whatsoever.
>
>
> Why is that dependent on the interface? The /proc interface already
> allows _everything_ you want to do with file descriptors. Only the
> the necessary restrictions should be worked out.
>
Worked out where? Allowing this stuff to happen in /proc forces you to
set this policy in the kernel.
>
>>Tie this in with some userspace code that can mount devices for users
>>with restrictions and appropriate policy, you can create some API+daemon
>>for regular user apps to get things mounted in a way that guarantees
>>hiding from other users.
>
>
> Yes. And I think that can be done without any new magic ioctls. Just
> with mount/umount and /proc.
>
> The implementation is another question. I'll look through your
> patches to see how you achieve all this.
>
Beware that due to the detached-subtrees bit, the locking became a bit
ugly, requiring a global rw_lock for mntget/mntput. I still haven't
figured out a better way to keep per-vfsmounts counts and per-subtree
counts in sync.
That said, the common case is a read lock, for shared access. Only on
mnt_attach / mnt_detach (usually a slowpath anyway) do we require
exclusive access. This would have been a good candidate for brlocks if
they were still around.
Mike Waychison
next prev parent reply other threads:[~2005-05-24 17:10 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-20 22:11 [RFC][PATCH] rbind across namespaces Ram
2005-05-21 6:27 ` Miklos Szeredi
2005-05-21 7:26 ` Ram
2005-05-21 8:09 ` Miklos Szeredi
2005-05-21 8:45 ` Ram
2005-05-21 9:09 ` Miklos Szeredi
2005-05-21 10:07 ` Ram
2005-05-21 13:12 ` Miklos Szeredi
2005-05-22 20:25 ` Ram
2005-05-22 20:51 ` Ram
2005-05-23 5:08 ` Miklos Szeredi
2005-05-23 7:24 ` Ram
2005-05-23 8:24 ` Miklos Szeredi
2005-05-21 9:48 ` Miklos Szeredi
2005-05-21 13:46 ` Jamie Lokier
2005-05-22 8:08 ` Miklos Szeredi
2005-05-22 17:04 ` [RFC][PATCH] /proc/dead_mounts support (Was: [RFC][PATCH] rbind across ...) Miklos Szeredi
2005-05-22 21:10 ` [RFC][PATCH] rbind across namespaces Ram
2005-05-23 5:07 ` Miklos Szeredi
2005-05-24 0:39 ` Mike Waychison
2005-05-24 5:43 ` Miklos Szeredi
2005-05-24 7:13 ` Mike Waychison
2005-05-24 8:25 ` Miklos Szeredi
2005-05-24 17:09 ` Mike Waychison [this message]
2005-05-24 17:31 ` Miklos Szeredi
2005-05-24 17:44 ` Mike Waychison
2005-05-24 17:56 ` Miklos Szeredi
2005-05-24 18:04 ` Mike Waychison
2005-05-30 19:06 ` Ram
2005-05-24 9:18 ` Miklos Szeredi
2005-05-24 17:15 ` Mike Waychison
2005-05-24 17:46 ` Miklos Szeredi
2005-05-24 18:15 ` Jamie Lokier
2005-05-24 18:33 ` Mike Waychison
2005-05-24 21:51 ` Jamie Lokier
2005-05-21 13:43 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42935FCB.1010809@google.com \
--to=mikew@google.com \
--cc=akpm@osdl.org \
--cc=jamie@shareable.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxram@us.ibm.com \
--cc=miklos@szeredi.hu \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).