From mboxrd@z Thu Jan  1 00:00:00 1970
From: ebiederm@xmission.com (Eric W. Biederman)
Subject: Re: [PATCH 3/4] fs: allow mknod in user namespaces
Date: Fri, 15 Mar 2013 13:43:10 -0700
Message-ID: <87a9q4gzs1.fsf@xmission.com>
References: <1363338823-25292-1-git-send-email-glommer@parallels.com>
	<1363338823-25292-4-git-send-email-glommer@parallels.com>
Mime-Version: 1.0
Content-Type: text/plain
Cc: <cgroups@vger.kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	<mtk.manpages@gmail.com>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	<linux-fsdevel@vger.kernel.org>,
	<containers@lists.linux-foundation.org>,
	Aristeu Rozanski <aris@redhat.com>
To: Glauber Costa <glommer@parallels.com>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from out02.mta.xmission.com ([166.70.13.232]:38354 "EHLO
	out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932313Ab3COUnR (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Fri, 15 Mar 2013 16:43:17 -0400
In-Reply-To: <1363338823-25292-4-git-send-email-glommer@parallels.com>
	(Glauber Costa's message of "Fri, 15 Mar 2013 13:13:42 +0400")
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

Glauber Costa <glommer@parallels.com> writes:

> Since we have strict control on who access the devices, it should be
> no problem to allow the device to appear.

Having cgroups or user namespaces grant privileges makes me uneasy.

With these patches it looks like I can do something evil like.

1. Create a devcgroup.
2. Put a process in it.
3. Create a usernamespace.
4. Run a container in that user namespace.
5. As an unprivileged user in that user namespace create another user namespace.
6. Call mknod and have it succeed.

Or in short I don't think this handles nested user namespaces at all.
With or without Serge's suggested change.

At a practical level now is not the right time to be granting more
permissions to user namespaces.  Lately too many silly bugs have been
found in what is already there.

Eric