From: Richard Weinberger <richard@nod.at>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Linux Containers <containers@lists.linux-foundation.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"libvir-list@redhat.com" <libvir-list@redhat.com>,
"Daniel P. Berrange" <berrange@redhat.com>
Subject: Re: [GIT PULL] namespace updates for v3.17-rc1
Date: Thu, 21 Aug 2014 08:29:59 +0200 [thread overview]
Message-ID: <53F591E7.3010509@nod.at> (raw)
In-Reply-To: <87vbpm4f4y.fsf@x220.int.ebiederm.org>
Am 21.08.2014 06:53, schrieb Eric W. Biederman:
> The bugs fixed are security issues, so if we have to break a small
> number of userspace applications we will. Anything that we can
> reasonably do to avoid regressions will be done.
>
> Could you please look at my user-namespace.git#for-next branch I have a
> fix for at least one regresion causing issue in there. I think it may
> fix your issues but I am not fully certain more comments below.
I'll run this on my LXC testbed today.
>> /*
>> * We can't immediately set the MS_RDONLY flag when mounting filesystems
>> * because (in at least some kernel versions) this will propagate back
>> * to the original mount in the host OS, turning it readonly too. Thus
>> * we mount the filesystem in read-write mode initially, and then do a
>> * separate read-only bind mount on top of that.
>> */
>> bindOverReadonly = !!(mnt_mflags & MS_RDONLY);
>>
>> VIR_DEBUG("Mount %s on %s type=%s flags=%x",
>> mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY);
>> if (mount(mnt_src, mnt->dst, mnt->type, mnt_mflags &
>> ~MS_RDONLY, NULL) < 0) {
>>
>> ^^^^ Here it fails for sysfs because with user namespaces we bind the
>> existing /sys into the container
>> and would have to read out all existing mount flags from the current /sys mount.
>> Otherwise mount() fails with EPERM.
>> On my test system /sys is mounted with
>> "rw,nosuid,nodev,noexec,relatime" and libvirt
>> misses the realtime...
>
> Not specifying any atime flags to mount should be safe as that asks for
> the default atime flags which for remount I have made the default atime
> flags the existing atime flags. So I am scratching my head a little on
> this one.
Okay, let me find out why exactly libvirt gets a EPERM here.
Maybe there are more odds hidden.
>>
>> virReportSystemError(errno,
>> _("Failed to mount %s on %s type %s flags=%x"),
>> mnt_src, mnt->dst, NULLSTR(mnt->type),
>> mnt_mflags & ~MS_RDONLY);
>> goto cleanup;
>> }
>>
>> if (bindOverReadonly &&
>> mount(mnt_src, mnt->dst, NULL,
>> MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
>>
>> ^^^ Here it fails because now we'd have to specify all flags as used
>> for the first
>> mount. For the procfs case MS_NOSUID|MS_NOEXEC|MS_NODEV.
>> See lxcBasicMounts[].
>> In this case the fix is easy, add mnt_mflags to the mount flags.
>
> That has always been a bug in general because remount has always
> required specifying the complete set of mount flags you want to have.
>
> That fact that flags such as nosuid are now properly locked so you can
> not change them if you are not the global root user just makes this
> obvious.
>
> Andy Lutermorski has observed that statvfs will return the mount flags
> making reading them simple.
Thanks for the clarification, I'll create a fix for libvirt.
Thanks,
//richard
next prev parent reply other threads:[~2014-08-21 6:29 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-06 0:57 [GIT PULL] namespace updates for v3.17-rc1 Eric W. Biederman
[not found] ` <87fvhav3ic.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-08-06 4:46 ` Stephen Rothwell
[not found] ` <20140806144643.45e5dab8-3FnU+UHB4dNDw9hX6IcOSA@public.gmane.org>
2014-08-06 5:16 ` Eric W. Biederman
[not found] ` <87lhr2tcyx.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-08-06 6:06 ` Stephen Rothwell
[not found] ` <20140806160608.218b6944-3FnU+UHB4dNDw9hX6IcOSA@public.gmane.org>
2014-08-06 6:30 ` Eric W. Biederman
2014-08-07 13:28 ` Theodore Ts'o
2014-08-13 2:46 ` Andy Lutomirski
[not found] ` <53EAD180.4010906-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2014-08-13 4:17 ` Eric W. Biederman
[not found] ` <87sil1nhut.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-08-13 4:38 ` Andy Lutomirski
2014-08-13 4:45 ` Kenton Varda
[not found] ` <CAOP=4widH1rMZ1O=hzAT+M_8exdzRPA8pJ+wH29AQ9L0ogu9nw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-08-13 10:24 ` Eric W. Biederman
[not found] ` <87tx5ghekp.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-08-13 17:03 ` Andy Lutomirski
2014-08-14 0:03 ` [PATCH] fs: Remove implicit nodev for new mounts in non-root userns Andy Lutomirski
2014-08-15 19:05 ` Serge Hallyn
2014-08-15 19:16 ` Andy Lutomirski
[not found] ` <CALCETrVKq1Fxnsd9jKDi5_fcKfCJxBZ1w-zGXD3FR-pF-jLsmQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-08-15 19:37 ` Serge Hallyn
2014-08-15 19:56 ` Andy Lutomirski
[not found] ` <CALCETrWB0qBiyfJbapFnjxoNyNvS+aHvgc_eob3fC1j=cv+v5w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-08-15 20:16 ` Serge Hallyn
2014-08-15 20:16 ` Serge Hallyn
2014-08-28 1:35 ` Andy Lutomirski
2014-08-15 18:41 ` [GIT PULL] namespace updates for v3.17-rc1 Andy Lutomirski
2014-08-20 15:06 ` Richard Weinberger
[not found] ` <CAFLxGvwi-iJRyfwv8v9fcRkiSu2d-az8W55xMPbp_d8wQKmwjg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-08-21 4:53 ` Eric W. Biederman
2014-08-21 6:29 ` Richard Weinberger [this message]
[not found] ` <53F591E7.3010509-/L3Ra7n9ekc@public.gmane.org>
2014-08-21 7:24 ` Richard Weinberger
[not found] ` <53F59EC7.6060107-/L3Ra7n9ekc@public.gmane.org>
2014-08-21 13:54 ` Eric W. Biederman
[not found] ` <87vbpm4f4y.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-08-21 13:12 ` Christoph Hellwig
[not found] ` <20140821131257.GA4264-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2014-08-21 13:22 ` Richard Weinberger
[not found] ` <53F5F2AD.5010607-/L3Ra7n9ekc@public.gmane.org>
2014-08-21 14:09 ` Eric W. Biederman
[not found] ` <87k362vsr5.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-03 21:18 ` Richard Weinberger
2014-11-25 23:15 ` Richard Weinberger
[not found] ` <CAFLxGvzyhHC+QF-bFfp-yNBpCkS3JJ+RAr+5iCj0k_su9wJbGw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-11-29 16:58 ` Richard Weinberger
2014-08-21 13:43 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53F591E7.3010509@nod.at \
--to=richard@nod.at \
--cc=berrange@redhat.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=libvir-list@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).