From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Weinberger Subject: Re: [CFT][PATCH 00/10] Making new mounts of proc and sysfs as safe as bind mounts (take 2) Date: Thu, 28 May 2015 21:36:18 +0200 Message-ID: <55676E32.3050006@nod.at> References: <87pp63jcca.fsf@x220.int.ebiederm.org> <87siaxuvik.fsf@x220.int.ebiederm.org> <87wq004im1.fsf@x220.int.ebiederm.org> <20150528140839.GD28842@ubuntumail> Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: "Eric W. Biederman" , Seth Forshee , Linux API , Linux Containers , Greg Kroah-Hartman , Kenton Varda , Michael Kerrisk-manpages , Linux FS Devel , Tejun Heo To: Serge Hallyn , Andy Lutomirski Return-path: In-Reply-To: <20150528140839.GD28842@ubuntumail> Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: linux-fsdevel.vger.kernel.org Am 28.05.2015 um 16:08 schrieb Serge Hallyn: > Quoting Andy Lutomirski (luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org): >> On Fri, May 22, 2015 at 10:39 AM, Eric W. Biederman >> wrote: >>> I had hoped to get some Tested-By's on that patch series. >> >> Sorry, I've been totally swamped. >> >> I suspect that Sandstorm is okay, but I haven't had a chance to test >> it for real. Sandstorm makes only limited use of proc and sysfs in >> containers, but I'll see if I can test it for real this weekend. > > Testing this with unprivileged containers, I get > > lxc-start: conf.c: lxc_mount_auto_mounts: 808 Operation not permitted - error mounting sysfs on /usr/lib/x86_64-linux-gnu/lxc/sys/devices/virtual/net flags 0 > FWIW, it breaks also libvirt-lxc: Error: internal error: guest failed to start: Failed to re-mount /proc/sys on /proc/sys flags=1021: Operation not permitted Thanks, //richard