From mboxrd@z Thu Jan  1 00:00:00 1970
From: ebiederm@xmission.com (Eric W. Biederman)
Subject: Re: DoS with unprivileged mounts
Date: Wed, 14 Aug 2013 14:54:35 -0700
Message-ID: <8761v8os4k.fsf@tw-ebiederman.twitter.com>
References: <CAJfpegsxgnSRUW-E5HM3uT5QfGyUtn_v=i4Ppkkkutp34287AA@mail.gmail.com>
	<520BD9E0.8050304@mit.edu> <8761v882wj.fsf@xmission.com>
	<CALCETrWnNfQnOKjfXx8hwsVzPfcoUseuY5JD1X7fRSPXOj61MA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Cc: Miklos Szeredi <miklos@szeredi.hu>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Linux-Fsdevel <linux-fsdevel@vger.kernel.org>,
	Kernel Mailing List <linux-kernel@vger.kernel.org>
To: Andy Lutomirski <luto@amacapital.net>
Return-path: <linux-kernel-owner@vger.kernel.org>
In-Reply-To: <CALCETrWnNfQnOKjfXx8hwsVzPfcoUseuY5JD1X7fRSPXOj61MA@mail.gmail.com>
	(Andy Lutomirski's message of "Wed, 14 Aug 2013 13:25:34 -0700")
Sender: linux-kernel-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

Andy Lutomirski <luto@amacapital.net> writes:

> On Wed, Aug 14, 2013 at 12:53 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>> Andy Lutomirski <luto@amacapital.net> writes:
>>
>>> On 08/14/2013 10:42 AM, Miklos Szeredi wrote:
>>>> There's a simple and effective way to prevent unlink(2) and rename(2)
>>>> from operating on any file or directory by simply mounting something
>>>> on it.  In any mount instance in any namespace.
>>>>
>>>> Was this considered in the unprivileged mount design?
>>>>
>>>> The solution is also theoretically simple: mounts in unpriv namespaces
>>>> are marked "volatile" and are dissolved on an unlink type operation.
>>>
>>> I'd actually prefer the reverse: unprivileged mounts don't prevent
>>> unlink and rename.  If the dentry goes away, then the mount could still
>>> exist, sans underlying file.  (This is already supported on network
>>> filesystems.)
>>
>> Of course we do this in network filesystems by pretending the
>> rename/unlink did not actually happen.  The vfs insists that it be lied
>> to instead of mirroring what actually happened.
>>
>> Again all of this is a question about efficient data structures and not
>> really one of semantics.  Can either semantic be implemented in such a
>> way that it does not slow down the vfs?
>
> Given that vfs_unlink has:
>
> 	if (d_mountpoint(dentry))
> 		error = -EBUSY;
>
> I think it's just a matter of changing / deleting that code.

Deleting the code is completely unacceptable as it generates mounts that
can never be unmounted.

Changing this code is what we were discussing.  My point is that an
efficient replacement is not immediately obvious, and a solution that
degrades the performance of the fast path of the vfs to make this case
work better is not likely to be acceptable.

Eric