From: Glauber Costa <glommer@parallels.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: <cgroups@vger.kernel.org>, <linux-fsdevel@vger.kernel.org>,
<serge@hallyn.com>, <daniel.lezcano@free.fr>, <pjt@google.com>,
<mzxreary@0pointer.de>, <xemul@parallels.com>,
<James.Bottomley@HansenPartnership.com>, <tj@kernel.org>,
<eric.dumazet@gmail.com>
Subject: Re: [RFC 0/4] per-namespace allowed filesystems list
Date: Tue, 24 Jan 2012 15:24:55 +0400 [thread overview]
Message-ID: <4F1E9507.8020904@parallels.com> (raw)
In-Reply-To: <m1boptjqne.fsf@fess.ebiederm.org>
On 01/24/2012 03:17 PM, Eric W. Biederman wrote:
> Glauber Costa<glommer@parallels.com> writes:
>
>> On 01/24/2012 04:04 AM, Eric W. Biederman wrote:
>>> My first impression is that this looks like a hack to avoid finishing
>>> the user namespace.
>>
>> See my reply to Al. So again, to avoid steering the discussions to details I
>> myself don't consider central (since this is a first post anyway), let's focus
>> on the /proc container case. It is a privileged user as far as the container
>> goes, and we'd like to allow it to mount filesystems. But disallowing it to
>> mount /proc, can guarantee that the user will be provided with a version of
>> /proc that is safe, and that he can't escape this.
>
> The key things are that to the rest of the system you want this user to
> look like an unprivileged user. Aka user namespace.
>
>> Ideally, userspace wouldn't even get involved with this, and a process mounting
>> /proc would see the right things, depending on where it came from. But turns out
>> that the cgroups-controlled resources are a lot harder than the
>> namespaces-controlled resources for this.
>
> There are a couple of sides to this.
>
> If you trust the root user in your container all you have to say is:
> "Don't do that then."
Of course he may not obey. And then mess up with the *other* containers
in the system. (If he messes with himself, I don't care). Note that in
this context, "messing" can be as simple as figuring out information
that you'd not like the container to see.
> There are things like /proc/cpuinfo that a lot of processes use to
> figure out how many threads are wise to use. That is a problem that
> deserves a proper solution not a hack.
Agreed. This can be either in the kernel or in userspace. If it is in
userspace, maybe we'd like to guarantee that this view will be
consistent, and not replaced by the systemwide version.
> There are the global tunables under /proc like
> /proc/sys/kernel/panic_on_oops that you don't want people touching.
>
> There are potential security issues with people mounting block devices
> when they can control the filesystem data before mounting the
> filesystem. That mostly deserves fixing the filesystems but in the
> unprivileged mount context that probably deserves a whitelist.
>
> Then the are problems with mounting cgroup filesystems inside of a
> container, and wondering why they don't work. That is a design
> limitation in the cgroup filesystem and code that needs to be fixed.
>
> Is there a case you are worried about that I have not covered?
>
The ones I've listed here in this mail, mostly. I am now wondering if
Kirill has any around debugfs ?
prev parent reply other threads:[~2012-01-24 11:25 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-23 16:56 [RFC 0/4] per-namespace allowed filesystems list Glauber Costa
[not found] ` <1327337772-1972-1-git-send-email-glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-01-23 16:56 ` [RFC 1/4] move /proc/filesystems inside /proc/self Glauber Costa
2012-01-23 16:56 ` [RFC 4/4] fslist netlink interface Glauber Costa
2012-01-23 19:20 ` [RFC 0/4] per-namespace allowed filesystems list Eric W. Biederman
2012-01-23 21:12 ` Al Viro
[not found] ` <20120123211218.GF23916-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2012-01-23 23:04 ` Kirill A. Shutemov
[not found] ` <20120123230457.GA14347-oKw7cIdHH8eLwutG50LtGA@public.gmane.org>
2012-01-23 23:12 ` Al Viro
2012-01-24 7:17 ` Kirill A. Shutemov
2012-01-24 10:32 ` Glauber Costa
2012-01-24 10:22 ` Glauber Costa
2012-01-23 16:56 ` [RFC 2/4] " Glauber Costa
2012-01-23 16:56 ` [RFC 3/4] show only allowed filesystems in /proc/filesystems Glauber Costa
2012-01-24 0:04 ` [RFC 0/4] per-namespace allowed filesystems list Eric W. Biederman
[not found] ` <m1vco2m0eh.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2012-01-24 10:31 ` Glauber Costa
[not found] ` <4F1E886A.7000107-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-01-24 11:17 ` Eric W. Biederman
2012-01-24 11:24 ` Glauber Costa [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F1E9507.8020904@parallels.com \
--to=glommer@parallels.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=cgroups@vger.kernel.org \
--cc=daniel.lezcano@free.fr \
--cc=ebiederm@xmission.com \
--cc=eric.dumazet@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mzxreary@0pointer.de \
--cc=pjt@google.com \
--cc=serge@hallyn.com \
--cc=tj@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).